{
	"id": "41b9cf76-d218-4030-94f8-57e454adf8e4",
	"created_at": "2026-04-06T00:17:18.913184Z",
	"updated_at": "2026-04-10T13:12:32.073898Z",
	"deleted_at": null,
	"sha1_hash": "5f321ee88807fdd546eb3f0fb17b344f6fe616b1",
	"title": "Evilgrab Delivered by Watering Hole Attack on President of Myanmar’s Website",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 552733,
	"plain_text": "Evilgrab Delivered by Watering Hole Attack on President of\r\nMyanmar’s Website\r\nBy Robert Falcone\r\nPublished: 2015-06-11 · Archived: 2026-04-05 18:26:22 UTC\r\nOn May 12, 2015, Unit 42 observed an apparent watering hole attack, also known as a strategic website compromise\r\n(SWC), involving the President of Myanmar's website. Visiting the main page hosted at \"www.president-office.gov[.]mm\" triggered the malicious content, as the threat actors injected an inline frame (IFRAME) into a\r\nJavaScript file used by Drupal for the site's theme.\r\nUnit 42 believes threat actors chose this website to set up a watering hole in order to target and gather information on\r\nindividuals in Myanmar, individuals involved in political relations with the country and/or organizations doing\r\nbusiness in Myanmar. Unit 42 has evidence to suggest the threat actors have had access to the website since\r\nNovember 2014 if not earlier.\r\nShortly after we reported the infection to the operators of the website, they took it offline. A new website containing\r\nthe same content is hosted at “www.myanmarpresidentoffice.info”, which has several artifacts and references to the\r\noriginal content hosted at “president-office.gov.mm” but does not contain the exploit code. We believe the use of the\r\nnew domain may be part of their remediation process.\r\nThis blog discusses the known details of the watering hole, interesting characteristics of the delivered Evilgrab sample\r\n(AKA Vidgrab) and the threat infrastructure associated with the attack.\r\nChain of Compromise\r\nThe main page previously hosted at \"www.president-office.gov.mm\" was powered by Drupal, which loaded several\r\nJavascript files that applied a Drupal theme. One of these Javascript files loaded by the main page, named \"script.js\"\r\nand seen in Figure 1, was responsible for several of the website's features, including the cycling slides of content on\r\nthe main page.\r\nFigure 1. External JavaScript Used to Load Drupal Theme\r\nThe \"script.js\" file also contained an IFRAME (Figure 2), which Unit 42 believes threat actors injected to exploit the\r\nbrowsers of visitors to the website. We analyzed the content in \"script.js\", as well as the HTTP response received from\r\nthe web server. One interesting thing to note is that the web server, specifically Drupal version 7, used HTTP\r\nresponses that contain the \"Last-Modified\" field for caching purposes. We checked the response for the \"script.js\" file\r\nthat contained the injected IFRAME and found a \"Last-Modified\" date of \"Wed, 24 Dec 2014 02:38:58 GMT\", which\r\nmay suggest that the threat actor injected the IFRAME on December 24, 2014.\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 1 of 11\n\nFigure 2. IFRAME Injected into Drupal JavaScript\r\nUnfortunately, we do not have access to the content that was hosted at this location and requests for access currently\r\nresult in an HTTP 404 Not Found error. Unit 42 cannot determine which vulnerability this code may have exploited\r\nwithout access to the content. But regardless of the vulnerability exploited, our WildFire system detected the payload\r\nin transit and classified the file as malware.\r\nUnit 42 is aware of another malicious script hosted on the President of Myanmar's website in November 2014, a\r\nmonth prior to when the IFRAME described in this blog appears to have been injected. VirusTotal captured the\r\ncontents hosted at the following URL[1], which hosted a VBScript[2] that exploited CVE-2014-6332 to install a\r\ndownloader Trojan:\r\nhttp://www.president-office.gov[.]mm/welcome[.]html\r\nThe downloader Trojan had the following characteristics:\r\nSHA256:b69106e06dc008e4fa1e4a0b0b58fcb1dc6d2016422a35cb3111168fd3fae577\r\nC2: mmslsh.tiger1234[.]com\r\nThis suggests threat actors, who may or may not be the same ones who injected the malicious IFRAME, have\r\ndisplayed a consistent interest in compromising visitors to this website since at least November 2014.\r\nPayload Installation\r\nOn May 12, 2015, a globally recognized organization in the oil and gas industry visited the following URL that hosted\r\nthe watering hole on the President of Myanmar's website:\r\nhttp://www.president-office.gov[.]mm/sites/all/modules/browscap/List_View.php\r\nVisiting this URL resulted in the download of a variant of the Evilgrab Trojan that has been used in past cyber\r\nespionage campaigns[3][4]. During our malware analysis efforts, we found some interesting features within this\r\nEvilgrab sample, which is denoted as version ‘V2014-v05’ that has the following attributes:\r\nFilename: newdata.exe\r\nMD5: 2e78e6d02aaed4f057f4dfa631ea5519\r\nSHA256: 10d9611e5b4ff41fc79e8907e3eb522630131b1bdc1010a0564c8780ba55c87c\r\nCompiled: 2015-04-30\r\nC2: dns.websecexp[.]com:81 (211.169.202.2)\r\nC2: ns.websecexp[.]com\r\nC2: appeur.gnway[.]cc\r\nMutex: 2010-3\r\nMutex: New2010-V3-Uninstall\r\nThis Evilgrab sample attempts to detect certain antivirus products on an infected system and will only run if it does\r\nnot detect the presence of Kaspersky, TrendMicro, Symantec's Norton, ESET, or AVG antivirus products. The initial\r\nEvilgrab payload has two embedded dynamic link libraries (DLL): it uses one DLL to load the second DLL that\r\ncontains the functional code. The initial payload carries out an installation process by storing both of these DLLs, as\r\nwell as the path to the initial payload, in the Windows registry in encrypted form to the following registry keys:\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 2 of 11\n\nSoftware\\rar\\data - Functional Code DLL\r\nSoftware\\rar\\s - Loader DLL\r\nSoftware\\rar\\e - Path to Initial Payload\r\nWhile previous Evilgrab versions also installed their functional code to these registry locations, the installation\r\nprocess itself within the initial Evilgrab payload includes an interesting anti-analysis technique that relies on the\r\nstructured exception handler (SEH) to call important functions.\r\nLet’s take a step back and first describe the structured event handler, which is built into an application that includes\r\ncode to handle exceptions. The SEH allows a developer to catch exceptions that occur during the execution of the\r\napplication and run specific code to handle the exception instead of crashing the application. Exceptions can occur for\r\na variety of reasons, such as attempting to divide a value by zero or attempting to access a memory segment without\r\nthe proper permissions.\r\nThe initial Evilgrab payload uses the SEH to carry out the installation process, by setting up the SEH to call specific\r\nfunctions in the event of an exception and including code that purposefully causes an exception. Evilgrab uses the\r\nSEH and forced exceptions as an anti-analysis technique to add a level of difficulty to the malware analysis process.\r\nFor example, Evilgrab uses the assembly code in Figure 3 that shows a call to a function that we named\r\n'divBy0_invokeExceptionToCallXor58'.\r\nFigure 3. Assembly Code To Call Function that Forces an Exception\r\nThe call to the 'divBy0_invokeExceptionToCallXor58' function has a pointer to a buffer that contains cipher text\r\n(buf_LoaderDLLInCipherText), as well as a pointer to a DWORD (dd_LoaderDLLLength) that contains the length of\r\nthe buffer. In the 'divBy0_invokeExceptionToCallXor58' function, the assembly instructions in Figure 4 cause an\r\nexception by attempting to divide a value by zero by setting the value in 'ecx' to zero (xor ecx, ecx instruction) and\r\nattempting to divide the value in 'eax' with 'ecx' (idiv ecx instruction):\r\nFigure 4. Assembly Code To Force an Exception by Dividing by Zero\r\nThis division by zero exception invokes the SEH to call a specific function to handle the exception. The exception is\r\nhandled by the exception handler in Figure 5.\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 3 of 11\n\nFigure 5. Evilgrab's Exception Handler Invoked After Forcing an Exception\r\nThe exception handler was created to handle the division by zero exception by running the function that Unit 42\r\nnamed 'xorBufferBy58'. The purpose of forcing this exception is to call the 'xorBufferBy58', using the previously\r\nmentioned 'buf_codeInCipherText' and 'dd_codeLength' values as arguments.\r\nThe sample uses this technique to call functions we’ve named 'createWinlogonProcessAndInjectCode' and\r\n'launchInjectedCode'. The 'createWinlogonProcessAndInjectCode' function creates a suspended process\r\n(CREATE_SUSPENDED flag) using the %SYSTEM%\\winlogon.exe executable. It then allocates several memory\r\nsections within the winlogon.exe process using VirtualAllocEx and it writes data to these sections using\r\nWriteProcessMemory, including the compressed payload that was decrypted using the 'xorBufferBy58' function. It\r\nalso writes a block of shellcode to the entry point of the winlogon.exe process to load the EvilGrab loader DLL,\r\nwhich is responsible for obtaining the Evilgrab functional code from the registry and executing it. When the last\r\nexception has been triggered in the initial Evilgrab payload, the SEH calls the 'launchInjectedCode' function to resume\r\nthe suspended 'winlogon.exe' process to launch the Evilgrab functional code.\r\nEvilgrab Functionality\r\nEvilgrab is a fully functional remote administration tool (RAT) that allows threat actors to interact with compromised\r\nsystems to exfiltrate data. The method in which this Evilgrab payload communicates with its C2 server is rather\r\ninteresting. Previously publically discussed Evilgrab samples sent a beacon of \"\\x01\\x00\\x00\\x00\\x33\" to the C2\r\nserver; however, this payload issues a fake HTTP request to the C2 server in place of this beacon. It uses raw sockets\r\nto send data to and receive data from its C2 server, which allows the payload to construct custom packets. The fake\r\nHTTP request used as a beacon is as follows:\r\nThe first four bytes (\\xdd\\x00\\x00\\x00) are anomalous, as the HTTP protocol requires the HTTP verb (GET, POST,\r\netc.) to be at the very beginning of the packet. The first four bytes in this packet specify the length of the following\r\ndata and the remaining bytes are data sent to the C2 server. Evilgrab will use this packet structure for all\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 4 of 11\n\ncorrespondence with the C2 server. In addition to the anomaly in the first four bytes, the HTTP Host field in the\r\nEvilgrab request is also anomalous as it contains a full URL instead of just the hostname of the web server. The\r\nmalware author put the full URL to a Windows update page in the Host field instead of including the URL portion\r\n(/windowsupdate/v6/default.aspx?ln=zh-cn) after the HTTP verb and the domain (update.microsoft.com) in the Host\r\nfield. The malware author chose this particular Windows update URL in an attempt to make the HTTP request look\r\nlegitimate.\r\nAfter the Evilgrab payload sends out this fake HTTP request beacon, it receives the C2 server's response and checks\r\nfor a specific response to confirm that the payload communicated with an Evilgrab C2 server. The payload checks the\r\nC2 server’s response for the following:\r\nThe response shown above is also an anomalous HTTP response for several reasons. First, the Location field does not\r\nhave a space before the location. Second, \"Bad Request (Invalid Verb)\" is used in an HTTP 400 Bad Request error\r\nmessage not an HTTP 301 message. The HTTP 400 Bad Request error would make sense, as a web server would\r\nexpect the HTTP request to start with an HTTP verb but it begins with four bytes for the data length as previously\r\nmentioned. Mila at ContagioDump observed the same C2 response to Evilgrab in a delivery document exploiting\r\nCVE-2012-0158 in August 2013[5], but that sample did not use the fake HTTP request as a beacon as seen here.\r\nImmediately after receiving the appropriate C2 response to its beacon, Evilgrab sends a 4096-byte packet to the C2\r\nserver that contains the following:\r\n\\xfc\\x0f\\x00\\x00\\xa02015-05-13|(192.168.180.47)|49157|Windows7|J|A|No|0天0小时0分28秒|No|V2014-\r\nv05|2052|0|50fb78a5|0|0|\u003c3987 additional bytes\u003e\r\nAgain, the first four bytes is the length of the following data, followed by a static response identifier (0xA0) and a\r\npipe-delimited (‘|’) string of data gathered from the compromised system. Table 1 shows each field and the\r\ndescription of its contents.\r\nDescription Data Type Example Value\r\nCampaign ID String 2015-05-13\r\nSystem IP Address String (192.168.180.47)\r\nTCP Port from System Decimal 49157\r\nOperating System Version String Windows7\r\nFirst Letter of Hostname Character J\r\nFirst Letter of Username Character A\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 5 of 11\n\nVideo Capture Device Connected String No\r\nSystem Idle Time String\r\n0天0小时0分28\r\n秒\r\nRemovable Drive Connected String No\r\nEvilgrab Version String V2014-v05\r\nEvilgrab Process ID Decimal 2052\r\nStatic Zero Decimal 0\r\nRandom Value based initial value of 0x50FB125B repeatedly XOR by\r\nGetTickCount\r\nHexadecimal 50fb78a5\r\nBoolean value if the keylogger is running Hexadecimal 0\r\nBoolean value that the operator sets via the 0x7e command for unknown\r\nreason.\r\nCharacter 0\r\nTable 1. Each element of the system data sent from Evilgrab to the C2 server\r\nThe functional Evilgrab code contains a fully featured command handler that allows an operator to interact with the\r\ninfected system to carry out remote administration activities and data exfiltration. Table 2 contains a comprehensive\r\nlist of the commands available within the command handler.\r\nCommand Description\r\n0x78 Turns on the QQ Memory Scraper and Keylogger\r\n0x79 Kills the QQ Memory Scraper and Keylogger functionality\r\n0x7a\r\nSets flags within the class. One of the flags is the hexadecimal value in the initial data sent from\r\nthe host, specifically the 13th element of the pipe-delimited string\r\n0x7b Uploads a specified file from the system to the C2 server\r\n0x7c Creates a file with a specified name.\r\n0x7d Sends the flags that indicate whether the QQ Memory Scraper and Keylogger are running\r\n0x7e\r\nSets a boolean value within the ActiveSettings. Unknown reason, but operators may use it to note if\r\nthey have been there or not.\r\n0x82\r\nEnumerate mounted volumes of storage and their type. The drive type prefixes the volume label,\r\nand the drive type prefixes sent within the response to the C2 are: Removable F-Fixed N-remote\r\n(network) C-cdrom D-ramdisk\r\n0x83\r\nList contents of a folder, or file, along with each files last modification time, filename and file\r\nattributes\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 6 of 11\n\n0x84 Check to see if a specific file exists.\r\n0x85 Receive a file from the C2 and Execute it\r\n0x86 Creates a file and sets the file pointer\r\n0x87 Close handles to files created in command 0x85\r\n0x88 Loads a DLL using ShellExecuteW using the \"open\" verb.\r\n0x89 Creates a directory with a specified name\r\n0x8a Delete a specified file\r\n0x8b Delete a directory and its contents.\r\n0x8c Obtains the creation, modification and access times of a file and sends them to the C2\r\n0x8e Executes a file using Explorer's token or runs a DLL using ShellExecuteW and the open verb.\r\n0x8f Move a specified file to a specified location\r\n0x90 Steal credentials from Window's Protected Storage (PStore)\r\n0x92 Create a reverse shell\r\n0x93 Write string to file for an unknown purpose.\r\n0x94 Sets flag v2 + 0x19\r\n0x98 Enumerates visible Windows and reports the process names to the C2\r\n0x99 Sends the WM_DESTROY message to a specific Window to close it\r\n0x9a Show a specified Window and set it as the foreground\r\n0x9b Show a specified Window\r\n0x9c Set the title of a Window\r\n0x9d Interact with open window by issuing keystrokes.\r\n0x9f Issue keystroke\r\n0xb0 Compares the length of v2 + 0xB2 with the specified value.\r\n0xb1\r\nSet a specified registry value, and responds with \"\\xa6打开子健失败\" (Open Zijian failure) if it\r\nfails.\r\n0xb2\r\nDelete a specified registry value, and responds with \"\\xa6删除子健失败\" (Remove Zijian failure)\r\nif it fails or \"\\xa5删除子健成功\" (Remove Zijian success) if successful.\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 7 of 11\n\n0xb3\r\nEnumerates the values within a specified registry key, and responds with \"\\xa5获取目标信息失败\"\r\nor \"\\xa5Failed to obtain key information\" if it is unsuccessful.\r\n0xb4\r\nRename a specific registry key to another value, and responds with \"\\xa6重命名子健失败\" or\r\n\"\\xa6Rename Zijian failure\" if it is unsuccessful.\r\n0xb5\r\nCreate a specific registry key, and responds with \"\\a7新建项成功\" or \"\\a7New item successful\" if\r\nit is successful.\r\n0xb7\r\nDeletes a specified key, and responds with \"\\xaa删除Key失败\" (Delete key failure) if it is\r\nunsuccessful or \"\\xab删除Key成功\" (Delete Key Success) if successful.\r\n0xb8 Echoes the message 0xb8 back to the C2\r\n0xb9 List services and each service's status and boot method\r\n0xba Start or stop a service.\r\n0xbb Modify the configuration of a service.\r\n0xbc\r\nCreates a service using specified name, description and binary path, and responds with \"创建服务\r\n\u003cname\u003e 成功\" (Create a service \u003cname\u003e success) if successful.\r\n0xbd\r\nDetermines available network locations (TCP and UDP) by calling the GetExtendedTcpTable and\r\nGetExtendedUdpTable API functions\r\n0xbe List running processes.\r\n0xbf Terminate a specified process\r\n0xc0\r\nGathers system information, such as operating system version, CPU name and speed, physical\r\nmemory and amount available, current process ID, as well as data saved to the clipboard.\r\n0xc1 Uninstall Evilgrab.\r\n0xc2 Stop Evilgrab's main thread, effectively killing Evilgrab until next reboot\r\n0xc3 Same as 0xc2 command\r\n0xc5 Create a temporary file.\r\n0xe0\r\nCloses an open TCP connection that matches a specified network location. This command uses the\r\nSetTcpEntry function to close a connection. This command responds \"关闭连接成功\" (Close the\r\nconnection is successful).\r\n0xe1 Take a single screenshot\r\n0xe2 Take a single screenshot\r\n0xe3 Starts video capture using single screenshots.\r\n0xe4 Echoes the message 0xe4 back to the C2\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 8 of 11\n\n0xe5 Starts video capture using single screenshots.\r\n0xe6 List contents of a folder.\r\n0xe9\r\nSets up proxy communication point between the C2 and another specified network location over a\r\nspecified TCP port.\r\n0xea Closes the thread responsible for the proxy communications set up in the 0xe9 command\r\n0xec Sets up the VideoInputDeviceCategory class for video capture\r\n0xed Closes a Window, appears to stop the video capture using VideoInputDeviceCategory\r\n0xee Starts video capture using the VideoInputDeviceCategory class\r\n0xf0 Starts audio capture that it sends directly to the C2\r\n0xf1 Appears to stop the audio capture\r\n0xf2 Search for specific files and exfiltrate their contents.\r\n0xf5\r\nStops the thread that was created in command 0xf2 to exfiltrate files by setting a specific flag\r\n(mainDataStructure[800])\r\nTable 2. Commands available in Evilgrab command handler\r\nIn addition to the command handler, Evilgrab’s functional code also contains the following supplemental\r\nfunctionality:\r\nPlugin Support - Evilgrab enumerates the %USERPROFILE%\\\\WindowsPlugin folder and runs all files with a\r\n\".exe\" file extension.\r\nQQ Monitoring – Evilgrab monitors for windows associated with Tencent’s QQ messaging program and will\r\nscrape memory for strings to steal messages.\r\nKeylogging – Logs keystrokes to ‘%USERPROFILE%\\users.bin’.\r\nUnit 42 created a ChopShop module to parse packet captures containing communications between Evilgrab and its C2\r\nserver.\r\nInfrastructure Analysis\r\nThe Evilgrab payload delivered by the watering hole had the following hardcoded domains that it uses as C2 servers:\r\ndns.websecexp[.]com\r\nns.websecexp[.]com\r\nappeur.gnway[.]cc\r\nUnit 42 discovered additional infrastructure related these three domains, as seen in the chart in Figure 6.\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 9 of 11\n\nFigure 6. Infrastructure related to Evilgrab C2 Servers\r\nUnit 42 is aware of the following additional subdomains hosted on the domain websecexp[.]com:\r\nusafi.websecexp[.]com\r\nusacia.websecexp[.]com\r\nwebhttps.websecexp[.]com\r\nusagovdns.websecexp[.]com\r\nThe domain dns.websecexp[.]com had also been used as a C2 server for a sample of the 9002 Trojan, which is another\r\ntool used in cyber espionage campaigns. This domain resolved to the IP address 59.188.16[.]130 as far back as\r\nDecember 2013, which also hosted the following domains. In contrast to websecexp[.] com, this second level was\r\nregistered using a service to hide the registrant information:\r\nceshi.mailpseonfz[.]com\r\ndns.mailpseonfz[.]com\r\nUnit 42 is aware of the ceshi.mailpseonfz[.]com domain hosting C2 services for another Evilgrab sample, as well as a\r\nsample of the 9002 Trojan. The time frame that the infrastructure above has hosted Evilgrab and 9002 C2 server spans\r\nfrom 2013 to 2015, which suggests the same group is reusing the same infrastructure over a period of years.\r\nConclusion\r\nThreat actors compromised the President of Myanmar's website to create a watering hole to infect visitors to the\r\nwebsite. Based on data collected in our threat intelligence cloud, the watering hole was active and delivering a\r\nmalicious payload during May 2015. Open source intelligence suggests that the site may have been a watering hole\r\ncontaining an exploit for CVE-2014-6332 in November 2014 as well. Setting up a watering hole on this site suggests\r\nthe threat actors, possibly comprising more than one group, are looking to collect information on individuals in\r\nMyanmar, individuals involved in political relations with the country and/or organizations doing business in\r\nMyanmar.\r\nThe May 2015 watering hole delivered a variant of the Evilgrab Trojan to visitors via an unknown vulnerability. The\r\nEvilgrab payload itself uses an interesting anti-analysis technique to increase the complexity required to analyze the\r\nTrojan. In addition, the Evilgrab payload delivered by this watering hole shares infrastructure that has hosted C2\r\nservers for other Evilgrab payloads, as well as samples of the 9002 Trojan.  The threat actors have used this\r\ninfrastructure in attacks since at least 2013.\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 10 of 11\n\nThis watering hole attack shows threat groups’ continued adoption of this attack vector, as it is much more difficult to\r\nanalyze and detect than the typical spear-phishing attacks. Once a threat actor has control over the web server hosting\r\nthe watering hole, the actor can control when to start and stop the delivery of the malicious content, which requires\r\nconstant monitoring of traffic to the website to determine if and when the attack occurs. However, in this case the\r\nthreat actors reused old infrastructure to host the C2 servers for the delivered payload, which made detection and\r\nattribution easier.\r\n[1]\r\nhttps://www.virustotal.com/en/url/91f7d6612c79cc0b266891c447359853614546837b003836ab342b091ee1a6cc/analysis/\r\n[2]\r\nhttps://www.virustotal.com/en/file/b8c37a1db36d702932b5db97ec150269a323b5dc76059062beff7e330f2d136d/analysis/\r\n[3] http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/\r\n[4] http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf\r\n[5] http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html\r\nIndicators from this report\r\nDomains\r\nusafbi.websecexp[.]com\r\nusacia.websecexp[.]com\r\nwebhttps.websecexp[.]com\r\nusagovdns.websecexp[.]com\r\nceshi.mailpseonfz[.]com\r\ndns.mailpseonfz[.]com\r\ndns.websecexp[.]com\r\nns.websecexp[.]com\r\nappeur.gnway[.]cc\r\nmmslsh.tiger1234[.]com\r\nSHA256 values:\r\nEvilGrab\r\n10d9611e5b4ff41fc79e8907e3eb522630131b1bdc1010a0564c8780ba55c87c\r\nRelated Downloader Trojan\r\nb69106e06dc008e4fa1e4a0b0b58fcb1dc6d2016422a35cb3111168fd3fae577\r\nSource: https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nhttps://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/"
	],
	"report_names": [
		"evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website"
	],
	"threat_actors": [],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f321ee88807fdd546eb3f0fb17b344f6fe616b1.pdf",
		"text": "https://archive.orkl.eu/5f321ee88807fdd546eb3f0fb17b344f6fe616b1.txt",
		"img": "https://archive.orkl.eu/5f321ee88807fdd546eb3f0fb17b344f6fe616b1.jpg"
	}
}