{ "id": "79a42502-2174-4138-9838-715426a8e449", "created_at": "2026-04-06T00:15:06.627513Z", "updated_at": "2026-04-10T03:37:50.136104Z", "deleted_at": null, "sha1_hash": "c2c2e43083b9fb9582891c2d76d829fb7f4b377b", "title": "Some notes on IoCs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100822, "plain_text": "Some notes on IoCs\r\nArchived: 2026-04-05 21:53:10 UTC\r\nObama \"sanctioned\" Russia today for those DNC/election hacks, kicking out 35 diplomats (**), closing\r\ndiplomatic compounds (**), seizing assets of named individuals/groups (***). They also published \"IoCs\" of\r\nthose attacks, fingerprints/signatures that point back to the attackers, like virus patterns, file hashes, and IP\r\naddresses.\r\nThese IoCs are of low quality. They are published as a political tool, to prove they have evidence pointing to\r\nRussia. They have limited utility to defenders, or those publicly analyzing attacks.\r\nConsider the Yara rule included in US-CERT's \"GRIZZLY STEPPE\" announcement:\r\nWhat is this? What does this mean? What do I do with this information?\r\nIt's a YARA rule. YARA is a tool ostensibly for malware researchers, to quickly classify files. It's not really an\r\nanti-virus product designed to prevent or detect an intrusion/infection, but to analyze an intrusion/infection\r\nafterward -- such as attributing the attack. Signatures like this will identify a well-known file found on\r\ninfected/hacked systems.\r\nWhat this YARA rule detects is, as the name suggests, the \"PAS TOOL WEB KIT\", a web shell tool that's popular\r\namong Russia/Ukraine hackers. If you google \"PAS TOOL PHP WEB KIT\", the second result points to the tool in\r\nquestion. You can download a copy here [*], or you can view it on GitHub here [*].\r\nOnce a hacker gets comfortable with a tool, they tend to keep using it. That implies the YARA rule is useful at\r\ntracking the activity of that hacker, to see which other attacks they've been involved in, since it will find the same\r\nweb shell on all the victims.\r\nhttps://blog.erratasec.com/2016/12/some-notes-on-iocs.html\r\nPage 1 of 3\n\nThe problem is that this P.A.S. web shell is popular, used by hundreds if not thousands of hackers, mostly\r\nassociated with Russia, but also throughout the rest of the world (judging by hacker forum posts). This makes\r\nusing the YARA signature for attribution problematic: just because you found P.A.S. in two different places\r\ndoesn't mean it's the same hacker.\r\nA web shell, by the way, is one of the most common things hackers use once they've broken into a server. It allows\r\nfurther hacking and exfiltration traffic to appear as normal web requests. It typically consists of a script file (PHP,\r\nASP, PERL, etc.) that forwards commands to the local system. There are hundreds of popular web shells in use.\r\nWe have little visibility into how the government used these IoCs. IP addresses and YARA rules like this are weak,\r\ninsufficient for attribution by themselves. On the other hand, if they've got web server logs from multiple victims\r\nwhere commands from those IP addresses went to this specific web shell, then the attribution would be strong that\r\nall these attacks are by the same actor.\r\nIn other words, these rules can be a reflection of the fact the government has excellent information for attribution.\r\nOr, it could be a reflection that they've got only weak bits and pieces. It's impossible for us outsiders to tell.\r\nIoCs/signatures are fetishized in the cybersecurity community: they love the small rule, but they ignore the\r\ncomplexity and context around the rules, often misunderstanding what's going on. (I've written thousands of the\r\nthings -- I'm constantly annoyed by the ignorance among those not understanding what they mean).\r\nI see on twitter people praising the government for releasing these IoCs. What I'm trying to show here is that I'm\r\nnot nearly as enthusiastic about their quality.\r\nNote#1: BTW, the YARA rule has to trigger on the PHP statements, not on the imbedded BASE64 encoded stuff.\r\nThat's because it's encrypted with a password, so could be different for every hacker.\r\nNote#2: Yes, the hackers who use this tool can evade detection by minor changes that avoid this YARA rule. But\r\nthat's not a concern -- the point is to track the hacker using this tool across many victims, to attribute attacks. The\r\npoint is not to act as an anti-virus/intrusion-detection system that triggers on \"signatures\".\r\nNote#3: Publishing the YARA rule burns it. The hackers it detects will presumably move to different tools, like\r\nPASv4 instead of PASv3. Presumably, the FBI/NSA/etc. have a variety of YARA rules for various web shells used\r\nby know active hackers, to attribute attacks to various groups. They aren't publishing these because they want to\r\navoid burning those rules.\r\nNote#4: The PDF from the DHS has pretty diagrams about the attacks, but it doesn't appears this web shell was\r\nused in any of them. It's difficult to see where it fits in the overall picture.\r\n(**) No, not really. Apparently, kicking out the diplomats was punishment for something else, not related to the\r\nDNC hacks.\r\n(***) It's not clear if these \"sanctions\" have any teeth.\r\nhttps://blog.erratasec.com/2016/12/some-notes-on-iocs.html\r\nPage 2 of 3\n\nSource: https://blog.erratasec.com/2016/12/some-notes-on-iocs.html\r\nhttps://blog.erratasec.com/2016/12/some-notes-on-iocs.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.erratasec.com/2016/12/some-notes-on-iocs.html" ], "report_names": [ "some-notes-on-iocs.html" ], "threat_actors": [ { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434506, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2c2e43083b9fb9582891c2d76d829fb7f4b377b.pdf", "text": "https://archive.orkl.eu/c2c2e43083b9fb9582891c2d76d829fb7f4b377b.txt", "img": "https://archive.orkl.eu/c2c2e43083b9fb9582891c2d76d829fb7f4b377b.jpg" } }