Operation GhostSecret Data Theft Campaign
The HIDDEN COBRA advanced persistent threat group are believed to be conducting an ongoing campaign known as Operation GhostSecret.
Multiple malware tools with similarities to other known HIDDEN COBRA tools such as BANKSHOT are used. These tools have multiple capabilities, including; creating processes, transmitting data to a server and listing directory files.
A separate tool named Proxysvc is used to communicate with the command and control infrastructure, exfiltrating data and downloading further payloads using HTTP over SSL.
As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443
Full technical details can be found here.
Control Servers
203.131.222.83
203.131.222.95
203.131.222.109
193.248.247.59
196.4.67.45
14.140.116.172 (old 2017 version address)
Affected Platforms
- Windows Desktops and Servers
- Linux-based Servers
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.