th-261

TH-261 targeting Italian defense and military

Introduction

Since December 2020, researchers have been tracking a threat group targeting the Italian defense industry and military forces, which has been in existence since 2015. The researchers named the threat Group .

The starting point of the study was a press statement from the Italian police. The only technical details provided by the statement are a single IOC: “www.fujinama.altervista[.]org”.

A third-party analysis published on January 8, 2021 pointed out several samples related to the incident, but did not provide any hash values. Therefore, we started looking for the samples they described in the article, especially for the sample named “cftmon.exe”, which dates back to 2015, the date when the local law enforcement agency was hacked.

Through my investigation, we were able to find samples using Yara rules and available technical indicators. We finally found this sample: “3c4444c8339f2b4c04931a379daf9d041854b168e45f949515f90b124821d626“.

clip_image001

The was compiled on July 14, 2015, which is the same as the time stamp reported in the Reaqta report. As stated in other technical reports, the malware code is very special and does not have any type of code protection system. Similarly, C2’s network traffic does not have complex encryption or random coding.

Conclusion

The researchers used threat hunting to find other samples of the Group and analyzed them, believing that these samples are compatible with the TTP of the behind the scenes to a certain extent with moderate credibility.

However, these samples need to be distinguished, and there is no clue about the similarity of the samples.

IOCs

fujinama[.]altervista[.]org
failaspesa[.]altervista[.]org
ffaadd332211.altervista[.]org
xhdyeggeeefeew[.]000webhostapp[.]com

3c4444c8339f2b4c04931a379daf9d041854b168e45f949515f90b124821d626
00092c4212f31387983e7e4b03d4f8362e58a43861d8073e71d20e95addeb8a2
646dbe5de074ba301f2e2eccd9ccbb9b58c86dafc69cbf00ecd7fe9365f8f1f2
500631db833b2729f784e233225621ddff411d7da49bd82cfd51a49b9600438f
7a71ddb5bb7dde4591857a20fbfccb0dc1199347
f5ec4e77864927bd8e15b9ab07e92c8503197860
afe5b97603f260abb36937373e587471ea4eddf0
98a3bb4529e30b27d11cc714b1b7ab9fbd8c4d26
70eeafd5f6971fe3a0b610a79d465973
6de25e21cfda939dda1a41a326f5de10
01ab5c3c78bca1b0af3d630437082496
46f6d40a87b99f26e63e3324a95c6eef