# Donot Team Leverages New Modular Malware Framework in South Asia ###### ASERT team (https://www.arbornetworks.com/blog/asert/author/asert-team/) on March 8, 2018. (https://www.arbornetworks.com/blog/asert/2018/03/) Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-newmodular-malware-framework-south-asia/decoy_doc-2/) ###### Figure 1: Pakistan themed decoy document ###### Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on �le collection, screenshots, and keylogging. ----- ###### created the yty framework. With medium con�dence, ASERT believes this new malware framework will pick up where EHDevel left o� and continue to focus on targets in South Asia. Overview In late January 2018, ASERT discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. We believe with medium con�dence that a team we call internally as “Donot Team” is responsible for the new malware and will resume targeting of South Asia. In a likely e�ort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network tra�c to �y under the radar. While we believe this framework and its components are new, it shares many Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) with the EHDevel malware framework. In September 2017, Bitdefender released a white paper (https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a- continuously-improving-advanced-threat-creation-toolkit/) describing EHDevel and some of the campaigns that used it. Some of the highlights of it included the following: Labeled as an APT (advanced persistent threat) and active since at least 2016. Modular architecture with malware functionality spread over multiple components. Components used a variety of programming languages (C++, .NET, Python, VBS, and AutoIt). Functionality included: �le collection, screenshots, key logging, and gathering system information. Command and control (C2) hosts stored in a document hosted on Google Docs. Decoy documents, timestamp analysis, and C2 server log analysis showed a focus on Pakistan. We assess with medium con�dence that the yty framework is a replacement for the EHDevel framework and that the Donot Team may start using it in campaigns in a similar manner as EHDevel. ----- ###### improving and modifying their malware framework, adding to their sophistication. Campaign Analysis Donot Team campaigns use multiple methods to mimic legitimate applications, organizations, and services like Adobe, Gmail or news outlets. They also including seemingly benign domains that likely raise minimal suspicion to a human observer. The following domains are a few examples: abodeupdater[.]com Adobe update services qmails[.]org Gmail webmail service serviceupports[.]com Generic services domains sundayobserver[.]net Mimics weekly English-language newspaper in Sri Lanka thebangladeshtoday[.]net English version of the national daily newspaper in Bangladesh The actors use false personas to register their domains instead of opting for privacy protection services. Depending on the registrar service chosen, this could be seen as another cost control measure. The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains. Looking at shared IP infrastructure, it was easy to see the registration patterns and expand the network used by the attackers. The Donot Team relies heavily on subdomains. Nearly every domain discovered through the course of this investigation had multiple, unique subdomains and every malware sample analyzed communicated to subdomains. In at least two instances, the domain never resolved to an IP address. Instead, the malware used subdomains, which lead to active infrastructure. Many of the sub-domains only navigated to the third level, but other samples used overly complex subdomain structures down to the sixth or seventh level. update.[.]com service.[.]org mail-live.outlook-com.332dhgka93t-veri9fjg3j- 2s33gl.system.thebangladeshtoday[.]net ----- ###### for as little as three days before going o�ine. It is possible the attackers use these small windows to test their malware operations. Although we did not observe the original distribution of the core binary, we believe the group speci�cally targeted Pakistani individuals based on the decoy documents observed. They appeared to be o�cial Government of Pakistan memos, see Figure 1, above. Attribution Donot Team’s TTPs, infrastructure, and the malware code are strikingly similar to the EHDevel malware reported by BitDefender and is likely the same group of operators. Bitdefender noted that the EHDevel malware appeared similar to malware analyzed by Blue Coat Labs in their report “Snake in the Grass (https://github.com/aptnotes/data/�les/679036/Snake.In.The.Grass.-.Python- based.Malware.Used.For.Targeted.Attacks.-.BLUE.COAT.LABS.pdf)”. The “Snake in the Grass” report also showed malware similarities and infrastructure overlap with Operation Hangover (also known as the Patchwork Group). While Arbor agrees that there are suspicious similarities between the Donot Team and Patchwork, we did not uncover de�nitive evidence to link the two groups. Additionally, a malicious document associated with yty was tagged (https://twitter.com/HybridAnalysis/status/968958087712460800) by Hybrid Analysis as “Viceroy Tiger”, but there hasn’t been much recent public information on this group that we could �nd to corroborate. yty Malware Framework Analysis One of the TTPs associated with the Donot Team is the use of modular/plugin- based malware frameworks. We call the new malware framework “yty” (based on debugging strings in its components). The components of the framework are shown in Figure 2: ----- (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/file_drops/) ###### Figure 2: yty malware components. ###### Circular.xls Analysis The �rst piece of the framework is a malicious Excel document named “Cirular.xls” (9ce56e1403469fc74c8�61dde4e83ad72597c66ce07bbae12fa70183687b32d). The content of the spreadsheet is an executable that is extracted and executed by macros, Figure 3. ----- (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/macro1/) ###### Figure 3: Circular.xls macro script ###### The delivery mechanism for the XLS �le is unknown, but evidence suggests it could be a test document as seen in Figure 4: (https://www.arbornetworks.com/blog/asert/donotteam-leverages-new-modular-malwareframework-south-asia/metadata/) ###### Figure 4: XLS document properties ###### .exe (Downloader 1) Analysis SHA256: 8d7eb0b7251bc4a40ebc9142a59ed8af16fb11cf8168e76dca48a78d6d7e4595 Compilation Date: 2018-02-05 09:06:13 PDB Path: C:\Users\donot\Documents\Visual Studio 2010\Projects\downloader\Debug\downloader.pdb Due to a bug in the macro code, the extracted executable is saved as “.exe”. This is a stripped down C++ program that, as its PDB path string indicates, downloads ----- ###### http://conf.serviceupdateres[.]com/Setup.exe This host is a direct overlap with the EHDevel malware framework as it was also seen distributing payloads in Bitdefender’s analysis. Setup.exe (Downloader 2) Analysis SHA256: 6bbd10ac20782542f40f78471c30c52f0619b91639840e60831dd665f9396365 Compilation Date: 2018-01-04 09:43:28 PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\Setup.pdb Setup.exe is another downloader written in C++ but contains more functionality than the “.exe” downloader. First, it checks/creates a mutex named “toptwo” so that only one copy of itself is running on the victim. Evasion Techniques To confuse malware analysts, it mixes in junk code as seen in Figure 5. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/junk_code/) ###### Figure 5: Junk code contained in binary. ###### It also has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware (example in Figure 6): (https://www.arbornetworks.com/blog/asert/donotteam-leverages-new-modular-malware-frameworksouth-asia/anti_vm/) ###### Figure 6: VMWare check. ###### Debugging Code ----- ###### debugging purposes, though the messages are not as verbose as in EHDevel’s samples, Figure 7. [(https://www.arbornetworks.com/blog/asert/donot-](https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/debug_log/) team-leverages-new-modular-malwareframework-south-asia/debug_log/) ###### Figure 7: Debugging log Command & Control Much like EHDevel, in order to get its C2 host, it downloads a �le from Google Docs. The document in this case was located at: https://drive.google[.]com/uc? authuser=0&id=1BUuYXU6bLdH_k_NWQIo7n5Uo_7L- uZSu&export=download At the time of research, the name of the document was “ip2.txt” and it contained the following IP address: 5.135.199[.]0 Per its metadata, the owner of the document is: Alfred Vil� masterplan00007@gmail.com An example C2 beacon is show in Figure 8: ----- (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/setup_phonehome/) ###### Figure 8: C2 beacon ###### Based on the “/football/goal”, “score”, “ball”, and “loose” strings they are using a football theme to help disguise its tra�c. The POST data contains: CPU information Windows version Is a virtual machine? Computer name User name Serial number of main disk volume At the time of analysis, we only elicited a “loose” response from the C2 server. Continued execution is reliant on eliciting a “win” response. If a “win” response does not occur, the malware continues beaconing until it receives the appropriate response. Once the correct response is seen, the malware downloads the next component from the same C2 using the following URL path: /f tb ll/d l d/2/b th l ----- ###### A secondary macro in circular.xls establishes persistence for the setup.exe download as seen in Figure 9. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/macro2/) ###### Figure 9: Persistence mechanism ###### Unique Strings Setup.exe introduces three common names seen in the rest of the malware framework: “yty”, the name we use for the framework, from the PDB path string. “bigdata” from the schtasks /tn (taskname) parameter used in the persistence mechanism. A “bot id” consisting of computer name, user name, and volume serial number separated by dashes. boothelp.exe – Plugin Downloader SHA256: a2e9d9a00e7e75ab1d5e96dd327a89b55608a0319461f2866aadada5bd50e728 Compilation Date: 2018-01-03 09:42:00 PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\boothelp.pdb Another TTP used by the Donot Team is the transition from one programming language to another. We see this with boothelp.exe, which is written in .NET– instead of C++ like the other components. boothelp.exe is a downloader responsible for retrieving modules/plugins that contain added functionality. The plugin downloader uses the same C2 channels as setup.exe by downloading a Google Doc �le which contains the C2 IP address. It then continues the football theme by beaconing to the “/football/�ag” folder on the C2 server, Figure 10. ----- (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/boothelp_phonehome/) ###### Figure 10: C2 communications to retrieve modules ###### Using an HTML
element labeled “pcinfo”—possibly displayed verbatim in the C2 panel—the malware beacon message contains various pieces of system information outlined below: User name Computer name Windows version Number of processors System directory Domain name ----- ###### CPU information The response from the C2 is an odd string containing multiple pieces, delimited by various characters, but boils down to what plugins to download/run and their �le sizes. The plugins for this framework were downloaded from the same URI path (“/football/download/2/”) where boothelp.exe was located. As of February 2018, we observed the following plugins: vstservice.exe – document listing plugin abode.exe – �le ex�ltration plugin mdriver.exe – key logger plugin dspcheck.exe – screenshot plugin mboard.exe – system information plugin These modules share functionality with components of the EHDevel framework, creating further overlap between the two malware frameworks. boothelp.exe has an interesting but unused function that takes a list of benign URLs and opens connections to them. As noted previously, we believe the actors are still testing the malware framework and it’s possible these URLs will become an anti-analysis feature to hide C2 communication among benign tra�c. Some of the interesting benign URLs listed below: https://www.google[.]co.in/ http://www.imdb[.]com/title/tt3501632/ https://www.rottentomatoes[.]com/m/thor_ragnarok_2017 vstservice.exe – File Listing Plugin SHA256: e3fb0ab2f3d11f12c11b3ee1e1781eaec5581def820afe7e01902f31ba9e1936 Compilation Date: 2018-01-03 08:14:32 PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\vstservice.pdb The vstservice.exe plugin is .NET �le responsible for sending a list of the �le system to the C2. The malware retrieves the C2 from a Google Docs �le like the previous binaries. The �le was located at the following location: https://docs.google[.]com/uc? id=0B42CqDoBbigYM1lEamRDRjhFbGc&export=download At the time of research, the Google Doc was named “domain.txt” and contained the following C2 host: upload.cloudsekurity[.]online Per its metadata, it is owned by the same owner as the document above. The plugin sends two �le listings. The �rst one focuses on �les with the following ----- ###### pdf doc xls docx xlsx pptx docm rtf inp xlsm csv odt pps vcf The second one contains all other �les. An example is shown in Figure 11. ----- (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/vts_exfil/) ###### Figure 11: C2 �le list name ex�ltration ###### The URL path for this C2 references the “bigdata” string observed in the macro persistence mechanism. Some of the POST parameters are unclear, but contain the following items: status – hardcoded to “Found” path – hardcoded to “Unknown” pc – bot ID type – unclear fname – �le name cnumber – a number representative of large �les broken into chunks orname – unclear o�d order ID for �les broken into chunks ----- ###### connects to benign URLs. Some of the URLs are listed below: https://www.livechart[.]me/fall-2017/tv https://500px[.]com/editors https://paytm[.]com/metro-card-recharge abode.exe – File Exfiltration Plugin SHA256: 4d0114b1292714a13d43a4c0de3ea4498fa752354ad4f5b73a8ba441af6064ae Compilation Date: 2018-01-03 08:14:46 PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\abode.pdb abode.exe is a .NET �le capable of �le ex�ltration. It uses the same Google Doc document and C2 as the vstservice.exe plugin. Two sets of �les can be ex�ltrated. The �rst set is a periodic sending of �les generated by other plugins that do not include a C2 mechanism themselves. The second set of �les is speci�ed by the C2 as seen in Figure 12. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/abode_poll/) ###### Figure 12: C2 response specifying �le for ex�ltration ----- ###### then sent to the C2 as seen in Figure 13. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/abobe_file_send/) ###### Figure 13: File ex�ltration ###### This plugin also includes unused, benign URLs as seen below: https://www.gamespot[.]com/ https://www.rottentomatoes[.]com/tv/mr_robot/s03 mdriver.exe – Keylogger Plugin SHA256: 600e7cfeea0ef8bd23cf95602a6b873898aa51848909aad1a7e8d4c5403797af Compilation Date: 2018-01-03 08:14:19 PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\mdriver.pdb ----- ###### “twotwo“, uses the Windows SetWindowsHookEx and SetWinEventHook APIs to perform its key logging, and then relies on abobe.exe to ex�ltrate the captured key strokes. Figure 14 shows an example of ex�ltrated key log data. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/keylogger/) ###### Figure 14: Key log ex�ltration ###### dspcheck.exe – Screenshot Plugin SHA256: 7d893d4f077e8e76a44a7830c5c3806dc956a6ef1a06c9f2dc33477c70f8cc9b Compilation Date: 2018-01-09 08:33:36 PDB Path: D:\Soft\DevelopedCode\yty 2.0\Release\dspcheck.pdb ----- ###### evidence that the actors are continuing their testing e�orts as seen in Figure 15. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/dsp_testing/) ###### Figure 15: Screenshot code shows testing evidence ###### It has the beginnings of C2 functionality, but this sample still relies on abobe.exe to send screenshots back to the C2, see Figure 16. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/screenshot_exfil/) ###### Figure 16: Screenshot ex�ltration ###### mboard.exe – System Information Plugin Packed SHA256: 50281cdd1b22f2b85de5809bf69ebd10e399410f519e357c1cb941c5dc7c95e1 ----- ###### and is packed with UPX. The purpose of this plugin is to gather various system information such as the following: Drive information Output of systeminfo command Installed software Output of ipcon�g /all command Output of net view command Output of tasklist command The collected is saved into multiple �les with a “qr” extension appended. They are then sent to the C2 via abobe.exe. An example showing the running process list being sent to the C2 is shown in Figure 17. (https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modularmalware-framework-south-asia/sysinfo_exfil/) ###### Figure 17: Running process list ex�ltration ###### Appendix A (IOCs): SHA256 Hashes 9ce56e1403469fc74c8�61dde4e83ad72597c66ce07bbae12fa70183687b32d 8d7eb0b7251bc4a40ebc9142a59ed8af16fb11cf8168e76dca48a78d6d7e4595 ----- ###### e3fb0ab2f3d11f12c11b3ee1e1781eaec5581def820afe7e01902f31ba9e1936 4d0114b1292714a13d43a4c0de3ea4498fa752354ad4f5b73a8ba441af6064ae 600e7cfeea0ef8bd23cf95602a6b873898aa51848909aad1a7e8d4c5403797af 7d893d4f077e8e76a44a7830c5c3806dc956a6ef1a06c9f2dc33477c70f8cc9b 50281cdd1b22f2b85de5809bf69ebd10e399410f519e357c1cb941c5dc7c95e1 C2 Domains conf[.]serviceupdateres[.]com upload[.]cloudsekurity[.]online abodeupdater[.]com qmails[.]org serviceupports[.]com thebangladeshtoday[.]net sundayobserver[.]net C2 IP Addresses 5[.]135[.]199[.]0 89[.]33[.]246[.]99 Share this: **[Share](javascript:void(0);)** **[Share 20](https://www.facebook.com/sharer/sharer.php?app_id=249643311490&kid_directed_site=0&sdk=joey&u=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-south-asia%2F&display=popup&ref=plugin&src=share_button)** [Tweet](https://twitter.com/intent/tweet?original_referer=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-south-asia%2F&ref_src=twsrc%5Etfw&text=Donot%20Team%20Leverages%20New%20Modular%20Malware%20Framework%20in%20South%20Asia&tw_p=tweetbutton&url=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-south-asia%2F) [submit](https://www.reddit.com/submit?url=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-south-asia%2F&title=Donot%20Team%20Leverages%20New%20Modular%20Malware%20Framework%20in%20South%20Asia) **Save (https://www.pinterest.com/pin/create/button/?guid=G6X66LGNvBBG-** **2&url=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-** **[south-asia%2F&media=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fwp-](https://www.pinterest.com/pin/create/button/?guid=G6X66LGNvBBG-2&url=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fdonot-team-leverages-new-modular-malware-framework-south-asia%2F&media=https%3A%2F%2Fwww.arbornetworks.com%2Fblog%2Fasert%2Fwp-content%2Fuploads%2F2018%2F03%2Fdecoy_doc-1.png&description=Donot%20Team%20Leverages%20New%20Modular%20Malware%20Framework%20in%20South%20Asia)** **content%2Fuploads%2F2018%2F03%2Fdecoy_doc-** ###### Posted in advanced persistent threats1.png&description=Donot%20Team%20Leverages%20New%20Modular%20Malware%20Framework%20in%20South%20Asia) (https://www.arbornetworks.com/blog/asert/category/advanced-persistent- threats/), analysis (https://www.arbornetworks.com/blog/asert/category/analysis/), Botnets (https://www.arbornetworks.com/blog/asert/category/botnets/), indicators of compromise (https://www.arbornetworks.com/blog/asert/category/indicators- of-compromise/), Interesting Research (https://www.arbornetworks.com/blog/asert/category/interesting-research/), Malware (https://www.arbornetworks.com/blog/asert/category/malware/), Reverse Engineering (https://www.arbornetworks.com/blog/asert/category/reverse-engineering/), threat analysis (https://www.arbornetworks.com/blog/asert/category/threat- analysis/) | No Comments (https://www.arbornetworks.com/blog/asert/donot-team- leverages-new-modular-malware-framework-south-asia/#respond) ----- **Comment** **Name *** **Email *** **Website** POST COMMENT « NETSCOUT Arbor Con�rms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us [(https://www.arbornetworks.com/blog/asert/netscout-](https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/) arbor-con�rms-1-7-tbps-ddos-attack-terabitattack-era-upon-us/) ### SUBSCRIBE TO THIS BLOG FIRST NAME LAST NAME COMPANY EMAIL ###### SUBSCRIBE ###### ASERT Arbor’s Security Engineering & Response Team (ASERT) delivers world-class network security research and analysis for the bene�t of today’s enterprise and network ----- ###### Show more Tag Cloud ["End of Internet" (https://www.arbornetworks.com/blog/asert/tag/end-of-internet/)](https://www.arbornetworks.com/blog/asert/tag/end-of-internet/) Analysis (https://www.arbornetworks.com/blog/asert/tag/analysis/) [Antiy (https://www.arbornetworks.com/blog/asert/tag/antiy/)](https://www.arbornetworks.com/blog/asert/tag/antiy/) APT (https://www.arbornetworks.com/blog/asert/tag/apt/) Arbor Networks - DDoS Experts (https://www.arbornetworks.com/blog/asert/tag/arbor-networks-ddos-experts/) [Armageddon (https://www.arbornetworks.com/blog/asert/tag/armageddon/)](https://www.arbornetworks.com/blog/asert/tag/armageddon/) Banking Trojans (https://www.arbornetworks.com/blog/asert/tag/banking-trojans/) BGP (https://www.arbornetworks.com/blog/asert/tag/bgp/) Bot (https://www.arbornetworks.com/blog/asert/tag/bot/) Botnet #### (https://www.arbornetworks.com/blog/asert/tag/botnet/) Botnets (https://www.arbornetworks.com/blog/asert/tag/botnets/) Buhtrap (https://www.arbornetworks.com/blog/asert/tag/buhtrap/) [CAC (https://www.arbornetworks.com/blog/asert/tag/cac/)](https://www.arbornetworks.com/blog/asert/tag/cac/) China (https://www.arbornetworks.com/blog/asert/tag/china/) Crypto (https://www.arbornetworks.com/blog/asert/tag/crypto/) [CSAC (https://www.arbornetworks.com/blog/asert/tag/csac/)](https://www.arbornetworks.com/blog/asert/tag/csac/) [Danny McPherson (https://www.arbornetworks.com/blog/asert/tag/danny-mcpherson/)](https://www.arbornetworks.com/blog/asert/tag/danny-mcpherson/) ddos ## (https://www.arbornetworks.com/blog/asert/tag/ddo [Denial-of-service attack (https://www.arbornetworks.com/blog/asert/tag/denial-of-service-attack/)](https://www.arbornetworks.com/blog/asert/tag/denial-of-service-attack/) Dirt Jumper (https://www.arbornetworks.com/blog/asert/tag/dirt-jumper/) DNS (https://www.arbornetworks.com/blog/asert/tag/dns/) down (https://www.arbornetworks.com/blog/asert/tag/down/) Facebook (https://www.arbornetworks.com/blog/asert/tag/facebook/) Financial Sector (https://www.arbornetworks.com/blog/asert/tag/�nancial-sector/) Google ##### (https://www.arbornetworks.com/blog/asert/tag/google/) Halloween (https://www.arbornetworks.com/blog/asert/tag/halloween/) hijack (https://www.arbornetworks.com/blog/asert/tag/hijack/) internet (https://www.arbornetworks.com/blog/asert/tag/internet/) Internet Protocol (https://www.arbornetworks.com/blog/asert/tag/internet-protocol/) Internet service ### provider (https://www.arbornetworks.com/blog/asert/tag/internet- service-provider/) Internet tra�c (https://www.arbornetworks.com/blog/asert/tag/internet-tra�c/) [IPv4 (https://www.arbornetworks.com/blog/asert/tag/ipv4/)](https://www.arbornetworks.com/blog/asert/tag/ipv4/) IPv6 (https://www.arbornetworks.com/blog/asert/tag/ipv6/) Iran (https://www.arbornetworks.com/blog/asert/tag/iran/) malware (https://www.arbornetworks.com/blog/asert/tag/malware-2/) network (https://www.arbornetworks.com/blog/asert/tag/network/) outage ###### (https://www.arbornetworks.com/blog/asert/tag/outage/) peering (https://www arbornetworks com/blog/asert/tag/peering/) Russia ----- ##### (https://www.arbornetworks.com/blog/asert/tag/security/) Streaming media (https://www.arbornetworks.com/blog/asert/tag/streaming-media/) tra�c (https://www.arbornetworks.com/blog/asert/tag/tra�c/) Ukraine (https://www.arbornetworks.com/blog/asert/tag/ukraine/) Wikileaks (https://www.arbornetworks.com/blog/asert/tag/wikileaks/) YouTube ###### (https://www.arbornetworks.com/blog/asert/tag/youtube/) [© 2018 ARBOR NETWORKS, INC (HTTPS://WWW.ARBORNETWORKS.COM) . ALL RIGHTS RESERVED.](https://www.arbornetworks.com/) [(http://arbor.link/ntctwww) Website (http://arbor.link/ntctwww) |](http://arbor.link/ntctwww) **[Blog (http://arbor.link/ntctblog)](http://arbor.link/ntctblog)** -----