<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="profile" href="https://gmpg.org/xfn/11"> <link rel="preconnect" href="https://www.paloaltonetworks.com"> <link rel="preconnect" href="https://cdn.cookielaw.org"> <link rel="preconnect" href="https://fonts.googleapis.com"> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> var main_site_url = 'https://www.paloaltonetworks.com'; var maindomain_lang = 'https://www.paloaltonetworks.com'; function getParameterByName(name, url) { if(url == null){ url = window.location.href; } name = name.replace(/[\[\]]/g, '\\$&'); var regex = new RegExp('[?&]' + name + '(=([^&#]*)|&|#|$)'), results = regex.exec(url); if (!results) return null; if (!results[2]) return ''; return decodeURIComponent(results[2].replace(/\+/g, ' ')); } var container_q = getParameterByName('container'); var d_lang = 'en'; if(container_q != '' && container_q != null){ sessionStorage.setItem('container',container_q); location.href = 'https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers'; } </script> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.css"></noscript> <link rel="preload" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css" as="style" onload="this.onload=null;this.rel='stylesheet'"> <noscript><link rel="stylesheet" href="https://www.paloaltonetworks.com/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/deferedProductNav.min.css"></noscript> <meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' /> <link rel="alternate" hreflang="en" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" /> <link rel="alternate" hreflang="ja" href="https://unit42.paloaltonetworks.jp/emissary-panda-attacks-middle-east-government-sharepoint-servers/" /> <link rel="alternate" hreflang="x-default" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" /> <!-- This site is optimized with the Yoast SEO Premium plugin v23.7 (Yoast SEO v23.7) - https://yoast.com/wordpress/plugins/seo/ --> <title>Emissary Panda Attacks Middle East Government SharePoint Servers</title> <meta name="description" content="Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research." /> <link rel="canonical" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" /> <meta property="og:locale" content="en_US" /> <meta property="og:type" content="article" /> <meta property="og:title" content="Emissary Panda Attacks Middle East Government SharePoint Servers" /> <meta property="og:description" content="Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research." /> <meta property="og:url" content="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" /> <meta property="og:site_name" content="Unit 42" /> <meta property="article:published_time" content="2019-05-28T13:00:32+00:00" /> <meta property="article:modified_time" content="2024-06-07T15:54:46+00:00" /> <meta property="og:image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Nation-State-cyberattacks_1920x900.jpg" /> <meta property="og:image:width" content="1920" /> <meta property="og:image:height" content="900" /> <meta property="og:image:type" content="image/jpeg" /> <meta name="author" content="Robert Falcone, Tom Lancaster" /> <meta name="twitter:card" content="summary_large_image" /> <!-- / Yoast SEO Premium plugin. --> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Feed" href="https://unit42.paloaltonetworks.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Comments Feed" href="https://unit42.paloaltonetworks.com/comments/feed/" /> <link rel="alternate" type="application/rss+xml" title="Unit 42 &raquo; Emissary Panda Attacks Middle East Government SharePoint Servers Comments Feed" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/feed/" /> <script type="text/javascript"> var globalConfig = {}; var webData = {}; webData.channel = "unit42"; webData.property = "unit42.paloaltonetworks.com"; webData.language = "en_us"; webData.pageType = "blogs"; webData.pageName = "unit42:emissary-panda-attacks-middle-east-government-sharepoint-servers"; webData.pageURL = "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers"; webData.article_title = "Emissary Panda Attacks Middle East Government SharePoint Servers"; webData.author = "Robert Falcone,Tom Lancaster"; webData.published_time = "2019-05-28T06:00:32-07:00"; webData.description = ""; webData.keywords = "Malware,Nation-State Cyberattacks,Threat Actor Groups,Threat Research,APT27,Bronze Union,China Chopper,CVE-2019-0604,DLL Sideloading,Emissary Panda,ETERNALBLUE,HyperBro,Lucky Mouse,MS17-010,TG-3390,webshell"; webData.resourceAssetID = "eeb55953157d977b2e2f910d8c937e36"; </script> <script type="text/javascript"> var globalConfig = {}; globalConfig.buildName = "UniqueResourceAssetsID_DEC022022"; </script> <meta property="og:likes" content="38"/> <meta property="og:readtime" content="13"/> <meta property="og:views" content="98,787"/> <meta property="og:date_created" content="May 28, 2019 at 6:00 AM"/> <meta property="og:post_length" content="4510"/> <meta property="og:category" content="Malware"/> <meta property="og:category" content="Nation-State Cyberattacks"/> <meta property="og:category" content="Threat Actor Groups"/> <meta property="og:category" content="Threat Research"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/malware/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/nation-state-cyberattacks/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-actor-groups/"/> <meta property="og:category_link" content="https://unit42.paloaltonetworks.com/category/threat-research/"/> <meta property="og:author" content="Robert Falcone"/> <meta property="og:author" content="Tom Lancaster"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/robertfalcone/"/> <meta property="og:authorlink" content="https://unit42.paloaltonetworks.com/author/tom-lancaster/"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta property="og:author_image_link" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2018/11/unit-news-meta.svg"/> <meta name="post_tags" content="APT27,Bronze Union,China Chopper,CVE-2019-0604,DLL Sideloading,Emissary Panda,ETERNALBLUE,HyperBro,Lucky Mouse,MS17-010,TG-3390,webshell"/> <meta property="og:post_image" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/Espionage-r3d1-380x184.png"/> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"BlogPosting","headline":"Emissary Panda Attacks Middle East Government SharePoint Servers","name":"Emissary Panda Attacks Middle East Government SharePoint Servers","description":"Our latest research shows attacks against Middle East government Sharepoint servers using a newly patched vulnerability. In our blog, we provide details of the tools and tactics, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research.","url":"https:\/\/unit42.paloaltonetworks.com\/emissary-panda-attacks-middle-east-government-sharepoint-servers\/","mainEntityOfPage":"https:\/\/unit42.paloaltonetworks.com\/emissary-panda-attacks-middle-east-government-sharepoint-servers\/","datePublished":"May 28, 2019","articleBody":"Executive Summary\r\n\r\nIn April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group installing webshells on SharePoint servers to compromise Government Organizations of two different countries in the Middle East. We believe the adversary exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604, which is a remote code execution vulnerability used to compromise the server and eventually install a webshell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144, which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017.\r\n\r\nThis activity appears related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. In addition to the aforementioned post-exploitation tools, the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known Emissary Panda attacks. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.\r\n\r\nIn this blog, we provide details of the tools and tactics we observed on these compromised SharePoint servers, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research. You can find the Adversary Playbook for the activity detailed in this blog here.\r\n\r\nAttack Overview\r\n\r\nThis webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1, 2019 and April 16, 2019, where actors uploaded a total of 24 unique executables across the three SharePoint servers. Figure 1 shows a timeline of when the files were uploaded to the three webshells. The timeline shows three main clusters of activity across the three webshells, with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2, 2019 and the activity involving the third webshell two weeks later on April 16, 2019. The actors uploaded several of the same tools to across these three webshells, which provides a relationship between the incidents and indicates that a single threat group is likely involved.\r\nFigure 1. Timeline of file uploads across three related webshells\r\nThe tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as Mimikatz. The threat actors also uploaded tools to scan for and exploit potential vulnerabilities in the network, such as the well-known SMB vulnerability patched in MS17-010 commonly exploited by EternalBlue to move laterally to other systems on the network. We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda. Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors breach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities. \r\n\r\nWebshells Installed\r\n\r\nAs previously mentioned, we found webshells installed on three SharePoint servers hosted at two different organizations, two of which had the same file name of errr.aspx and the other a filename of error2.aspx. The webshells were hosted at the following paths on the compromised servers:\r\n\r\n\/_layouts\/15\/error2.aspx\r\n\r\n\/_layouts\/15\/errr.aspx\r\n\r\nWe were able to gather one of the webshells with which we saw the actor interacting, specifically the error2.aspx file listed above. The error2.aspx file (SHA256: 006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38) is a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang. The specific variant of Antak in error2.aspx is version v0.5.0, which is an older version of the webshell that was updated in August 2015 to v0.7.6 to include some basic authentication functionality and the ability to perform SQL queries. It\u2019s possible the actors obtained Antak v0.5.0 via the Nishang GitHub repository or from SecWiki\u2019s GitHub that also has the v0.5.0 version of Antak. Figure 2 shows the Antak webshell loaded on one of the Sharepoint servers. \r\nFigure 2. Antak webshell \u2018error2.aspx\u2019 used to upload post-exploitation tools\r\nWhile we observed the threat actor uploading additional tools to the Antak webshell above, the Sharepoint server also had several other webshells installed. The additional webshells, specifically stylecs.aspx, stylecss.aspx, and test.aspx are listed in Table 1, and appear related to the China Chopper webshell. We cannot be sure all of these webshells were installed by the same actors, as multiple actors could have exploited the SharePoint server. For instance, the China Chopper-related webshells are one-line of JScript code that could be easily copied and used by multiple groups, and the Antak webshell is easily obtained from publicly accessible repositories. However, the installation of China Chopper and the uploading of Emissary Panda related custom payloads to the Antak webshell suggests they are likely related, as this threat group has used China Chopper to compromise servers in the past.\r\n\r\n\r\n\r\nFilename\r\nSHA256\r\n\r\n\r\nstylecs.aspx\r\n2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86\r\n\r\n\r\nstylecss.aspx\r\nd1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe\r\n\r\n\r\ntest.aspx\r\n6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378\r\n\r\n\r\n\r\nTable 1. Additional webshells hosted on Sharepoint server\r\nThe stylecs.aspx webshell provides fairly significant functionality, as its developer wrote this webshell in JScript that ultimately runs any supplied JScript code provided to it within the HTTP request. Figure 3 shows this webshell\u2019s code that will run supplied JScript provided in base64 encoded format within the URL within a parameter e358efa489f58062f10dd7316b65649e. The parameter e358efa489f58062f10dd7316b65649e is interesting as it is the MD5 hash for the letter \u2018t\u2019, which is a known parameter for China Chopper as mentioned in the next section.\r\nFigure 3. China Chopper code found in stylecs.aspx webshell on SharePoint server\r\nThe stylecss.aspx webshell is very similar to the stylecs.aspx, as it runs JScript provided within the e358efa489f58062f10dd7316b65649e parameter of the URL; however, the stylecss.aspx webshell does not accept base64 encoded JScript, but expects the JScript in cleartext that the actor would provide as URL safe text. Figure 4 shows the code within stylecss.aspx, which when compared to Figure 3 above shows the lack of the base64 decoding function \u2018FromBase64String\u2019.\r\n\r\nFigure 4. China Chopper code found in stylecss.aspx webshell on SharePoint server\r\nThe last webshell extracted from the Sharepoint server had a filename of test.aspx, which is very similar to the stylecs.aspx webshell as it runs base64 encoded JScript provided in the URL of the request. However, the test.aspx webshell uses a parameter related to the compromised organization to obtain the base64 encoded JScript that it will run and display within the browser. The test.aspx shell also includes code that sets the HTTP response status to a 404 Not Found, which will display an error page but will still run the provided JScript. Figure 5 shows the code within the test.aspx file. \r\nFigure 5. China Chopper code found in test.aspx webshell on SharePoint server\r\nLinks to Security Advisories\r\n\r\nIn April 2019, several national security organizations released alerts on CVE-2019-0604 exploitation, including the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security. Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell. While we cannot confirm all of the claims made in these advisories, we noticed overlaps in the webshell code hosted on the compromised SharePoint servers we observed and the webshells mentioned in these advisories.\r\n\r\nThe Saudi Arabian National Cyber Security Center\u2019s alert provided details regarding the activities carried out by the adversary. This alert also displayed the code associated with the China Chopper webshell observed in the attacks, which included Request.Item[\"t\"] to obtain JScript code from the \u2018t\u2019 parameter of the URL. As mentioned in the previous section, stylecs.aspx and stylecss.aspx both used a parameter of e358efa489f58062f10dd7316b65649e, which is the MD5 hash of \u2018t\u2019. This may suggest the actor modified the script slightly between the attack we observed, and the attack mentioned in the NCSC advisory, all while retaining the same functionality. Also, the NCSC advisory mentioned that the actors used a file name stylecss.aspx for their webshell, which is the same filename we saw associated with China Chopper. \r\n\r\nThe alert from the Canadian Center for Cyber Security included the SHA256 hashes of the files associated with the campaign, one of which was 05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4 for a file named pay.aspx. The pay.aspx file is part of the China Chopper webshell and is very similar to the stylecss.aspx webshell we discussed above, with the only major difference is the URL parameter of \u2018vuiHWNVJAEF\u2019 within the URL that pay.aspx webshell uses to obtain and run JScript. Figure 6 below shows a comparison between the stylecss.aspx and pay.aspx files.\r\nFigure 6. Comparison between stylecss.aspx webshell and pay.aspx webshell discussed in Canadian Center for Cyber Security advisory\r\nTools Uploaded\r\n\r\nDuring our research into this attack campaign, Unit 42 gathered several tools that the actor uploaded to the three webshells at the two government organizations. The chart in Figure 7 shows the same tools being uploaded to the webshells, which provided an initial linkage between the activities. One of the overlapping tools uploaded to the webshells is the legitimate cURL application, which could be used by multiple groups. The other overlapping files are tools used by the adversary to locate other systems on the network (etool.exe), check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (checker1.exe) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by Impacket (psexec.exe). These tools are not custom made by the adversary but still provide a medium confidence linkage between the activities. We also observed the actors uploading the HyperBro backdoor to one of the webshells, as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity. \r\n\r\nFigure 7. Relationships between tools uploaded to the three webshells hosted on SharePoint servers\r\nThe actors uploaded 10 portable executables to the error2.aspx webshell, as seen in Table 2. The list of tools uploaded to this webshell includes legitimate applications, such as cURL and a component of Sublime Text used to sideload a malicious DLL, which we will discuss in an upcoming section. The list also includes several hack tools, such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network. Lastly, we saw the actor uploading a custom backdoor called HyperBro, which has been associated with Emissary Panda operations in the past. We will provide an analysis of the HyperBro tool in an upcoming section. \r\n\r\n\r\n\r\nFilename\r\nSHA256\r\nDescription\r\n\r\n\r\nm2.exe\r\nb279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade\r\nPacked Mimikatz tool.\r\n\r\n\r\npsexec.exe\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\nCompiled Impacket psexec\r\n\r\n\r\ns.exe\r\n04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462\r\nHyperBro backdoor\r\n\r\n\r\ncurl.exe\r\nabc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d\r\nLegitimate cURL\r\n\r\n\r\ncurl.exe\r\nbbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab\r\nLegitimate cURL\r\n\r\n\r\nchecker1.exe\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\nCompiled EternalBlue checker script\r\n\r\n\r\netool.exe\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\nC# Tool, likely from https:\/\/github.com\/mubix\/netview\r\n\r\n\r\nplugin_host.exe\r\n738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711\r\nLegitimate Sublime Text plugin host\r\n\r\n\r\nPYTHON33.dll\r\n2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\r\nSideloaded DLL loaded by Sublime Text\r\n\r\n\r\ncurl.exe\r\nbbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab\r\nLegitimate cURL.\r\n\r\n\r\n\r\nTable 2. Unique tools uploaded to the error2.aspx webshell installed on a SharePoint server\r\nWe saw 17 tools uploaded to the errr.aspx webshell hosted on the SharePoint server of one of the government organizations, which is in the middle of the chart in Figure 7. Table 3 shows all of the tools we observed the actor uploading to the webshell, which includes a list of tools used to dump credentials, locate, and exploit remote systems, as well as pivoting to other systems on the network. \r\n\r\n\r\n\r\nFilename\r\nSHA256\r\nDescription\r\n\r\n\r\nsmb1.exe\r\n88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd\r\nSMB backdoor based on smbrelay3\r\n\r\n\r\nmcmd.exe\r\n738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841\r\nCompiled zzz_exploit.py\r\n\r\n\r\nmcafee.exe\r\n3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59\r\nCompiled zzz_exploit.py\r\n\r\n\r\ndump.exe\r\n29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e\r\npwdump\r\n\r\n\r\nchecker1.exe\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\nCompiled MS17-010 checker\r\n\r\n\r\nmemory.exe\r\na18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5\r\nPacked Mimikatz\r\n\r\n\r\nchecker.exe\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\nCompiled MS17-010 checker\r\n\r\n\r\npsexec.exe\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\nCompiled Impacket psexec.\r\n\r\n\r\netool.exe\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\nC# Tool, likely from https:\/\/github.com\/mubix\/netview\r\n\r\n\r\nsmb.exe\r\n4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8\r\nSMB backdoor based on smbrelay3\r\n\r\n\r\nagent_Win32.exe\r\nb2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9\r\nTermite\r\n\r\n\r\nsmb_exec.exe\r\n475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7\r\nhttprelay\r\n\r\n\r\ncurl.exe\r\nbbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab\r\nLegitimate cURL\r\n\r\n\r\nincognito.exe\r\n9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b\r\nIncognito \u00a0\r\n\r\n\r\nnbtscan.exe\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e\r\nnbtscan\r\n\r\n\r\nfgdump.exe\r\na6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86\r\npwdump\r\n\r\n\r\nsmbexec.exe\r\ne781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee\r\nCompiled Impacket smbexec\r\n\r\n\r\n\r\nTable 3. Unique tools uploaded to the errr.aspx webshell installed on a SharePoint server\r\nTwo of the tools, specifically the compiled zzz_exploit.py and checker.py suggest the actor would check and exploit remote systems if they were not patched for MS17-010, which patched the CVE-2017-0144 (EternalBlue) vulnerability. Also, the use of the Mimikatz and pwdump tools suggests the adversary attempts to dump credentials on compromised systems. We were able to gather the command line arguments the actor used to run the SMB backdoor smb1.exe. The following arguments shows the actor using the SMB backdoor to attempt to run a batch script m.bat on a remote host using a domain username and the account\u2019s password hash:\r\n\r\nc:\\programdata\\smb1.exe &lt;redacted 10.0.0.0\/8 IP&gt; &lt;redacted domain&gt;\\&lt;redacted username&gt; :&lt;redacted password hash&gt; winsk c:\\programdata\\m.bat\r\n\r\nWe saw far fewer portable executable files uploaded to the second errr.aspx webshell, specifically the 3 files seen in Table 4. The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell. Also, we observed the actor uploading a legitimate Microsoft application that would sideload a malicious DLL, of which was very similar to the DLL sideloaded by the Sublime Text plugin host that was uploaded to the error2.aspx webshell. \r\n\r\n\r\n\r\nFilename\r\nSHA256\r\nDescription\r\n\r\n\r\nchecker1.exe\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\nCompiled MS17-010 checker\r\n\r\n\r\nCreateMedia.exe\r\n2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088\r\nLegitimate CreateMedia.exe application from Microsoft's System Center 2012 Configuration Manager\r\n\r\n\r\nCreateTsMediaAdm.dll\r\n06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7\r\nSideloaded DLL loaded by CreateMedia.exe\r\n\r\n\r\n\r\nTable 4. Unique tools uploaded to the errr.aspx webshell installed on a SharePoint server\r\nEmissary Panda Specific Tools\r\n\r\nMany of the tools uploaded to these webshells are hacking tools that are publicly accessible and could be used by multiple threat actors. However, several of the tools uploaded to the webshells appear to be custom made and likely related to the Emissary Panda threat group. \r\n\r\nHyperBro\r\n\r\nThe s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the error2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky and SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky\u2019s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named \u2018thumb.db\u2019. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky\u2019s blog (SHA256 hashes: 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233).\r\n\r\n&nbsp;\r\n\r\n\r\n\r\nFilename\r\nSHA256\r\nDescription\r\n\r\n\r\nthinprobe.exe\r\n76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af\r\nSymantec pcAnywhere thinprobe application \r\n\r\n\r\nthinhostprobedll.dll \r\nd40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af\r\nSideloaded DLL loaded by thinprobe.exe\r\n\r\n\r\nthumb.db\r\n270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530\r\nContains encrypted and compressed DLL payload run by sideloaded DLL\r\n\r\n\r\n\r\nTable 5. Files associated with the HyperBro tool uploaded to webshell on SharePoint server\r\nThe functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications portion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL:\r\n\r\nhxxps:\/\/185.12.45[.]134:443\/ajax\r\n\r\nThe worker functionality acts on the data received from the C2 server, which is passed from the daemon to the worker via a named pipe called \"\\\\.\\pipe\\testpipe\". The worker subjects the received data to a command handler whose available commands are listed in Table 6. \u00a0\r\n\r\n\r\n\r\nCommand\r\nSub-command\r\nDescription\r\n\r\n\r\n0x12\r\n\r\nFile manager\r\n\r\n\r\n\r\n0x10\r\nEnumerate logical storage volumes\r\n\r\n\r\n\r\n 0x11\r\nDelete a specified file\r\n\r\n\r\n\r\n0x12\r\nUpload a file\r\n\r\n\r\n\r\n0x13\r\nDownload a file\r\n\r\n\r\n\r\n0x17\r\nList contents of a folder\r\n\r\n\r\n\r\n0x19\r\nRun an application (CreateProcessW) or script\/file (ShellExecuteW)\r\n\r\n\r\n0x13\r\n\r\nExecute command on shell\r\n\r\n\r\n0x16\r\n\r\nTakes screenshot\r\n\r\n\r\n0x19\r\n\r\nRuns shellcode it injects into a newly created process 'msiexec.exe'\r\n\r\n\r\n0x1a\r\n\r\nKill specific process\r\n\r\n\r\n0x1e\r\n\r\nService manager\r\n\r\n\r\n\r\n0x17\r\nList all services and their configurations\r\n\r\n\r\n\r\n0x19\r\nStart a specified service\r\n\r\n\r\n\r\n0x1a\r\nStop a specified service\r\n\r\n\r\n\r\nTable 6. The commands available within the HyperBro tool\u2019s command handler\r\nUnknown Sideloaded Payloads\r\n\r\nTable 2 and 4 above include two legitimate executables used for DLL sideloading, specifically the plugin_host.exe application for Sublime Text and the CreateMedia.exe application from Microsoft's System Center 2012 Configuration Manager. The plugin_host.exe application imports several functions from a library named python33, which is how the legitimate application sideloads the malicious DLL named PYTHON33.dll. This is the first instance we have observed Sublime Text\u2019s plugin host application used for sideloading. Like the plugin host application, the CreateMedia.exe application imports several functions from a library named CreateTsMediaAdm that is leveraged to load the malicious DLL named CreateTsMediaAdm.dll.\r\n\r\nThe PYTHON33.dll and the CreateTsMediaAdm.dll libraries are very similar with BinDiff providing a 97% similarity with 99% confidence between the two DLLs. The code diff in Figure 8 shows the decryption routine in PYTHON33.dll (right) and CreateTsMediaAdm.dll (left), both of which use an eight byte XOR key to decrypt a piece of shikata_ga_nai obfuscated shellcode. The shellcode is responsible for patching the entry point of the legitimate application to call another function in the shellcode that is responsible for loading a file with the library name with an .hlp extension (PYTHON33.hlp or CreateTsMediaAdm.hlp).\r\nFigure 8. Code comparison between the sideloaded CreateTsMediaAdm.dll and PYTHON33.dll files uploaded to two webshells\r\nUnfortunately, we do not have access to the PYTHON33.hlp or CreateTsMediaAdm.hlp files, so we do not know the final payload loaded by either of these DLLs. However, using NCC Group\u2019s research published in May 2018, we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign. Figure 9 shows a code comparison between the PYTHON33.dll (right) and inicore_v2.3.30.dll (left) (SHA256: 4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822), which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign. The code overlaps below include the same technique to find the entry point of the loading executable and decrypting the first piece of shellcode used to patch the entry point.\r\nFigure 9. Code comparison between the sideloaded PYTHON33.dll uploaded to webshell and the inicore_v2.3.30.dll file sideloaded in previous Emissary Panda attacks\r\nConclusion\r\n\r\nThe Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604. According to Microsoft\u2019s advisory, this vulnerability was patched on March 12, 2019 and we first saw the webshell activity on April 1, 2019. This suggests that the threat group was able to quickly leverage a known vulnerability to exploit Internet facing servers to gain access to targeted networks.\r\n\r\nOnce the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems. We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010. We also observed the actors uploading legitimate tools that would sideload DLLs, specifically the Sublime Text plugin host and the Microsoft\u2019s Create Media application, both of which we had never seen used for DLL sideloading before. \r\n\r\nPalo Alto Networks customers are protected by:\r\n\r\n \tThe CVE-2019-0604 vulnerability is covered by our IPS signature Microsoft Sharepoint Remote Code Execution Vulnerability (55411)\r\n \tAll illegitimate tools uploaded to the webshells are marked with malicious verdicts by WildFire and Traps.\r\n \tAutoFocus customers can track the custom Emissary Panda payload seen uploaded to the webshell using the HyperBro tag, but can also track the hack tools using the following tags (note the hack tools are used by multiple actors and not just Emissary Panda):\r\n\r\n \tSmbExec\r\n \tPsExec\r\n \tPsExec_Python\r\n \tBChecker\r\n \tZZZ_Exploit\r\n \tTermite\r\n \tIncognito\r\n \tPwDump\r\n\r\n\r\n\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit www.cyberthreatalliance.org.\r\n\r\nIOCs\r\n\r\nWebshells SHA256\r\n\r\n006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38\r\n\r\n2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86\r\n\r\nd1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe\r\n\r\n6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378\r\n\r\nMalicious HackTools and Payloads SHA256\r\n\r\n88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd\r\n\r\n738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841\r\n\r\n3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59\r\n\r\n29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e\r\n\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\n\r\na18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5\r\n\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\n\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\n\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\n\r\n4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8\r\n\r\nb2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9\r\n\r\n475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7\r\n\r\n9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b\r\n\r\nc9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e\r\n\r\na6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86\r\n\r\ne781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee\r\n\r\nd0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333\r\n\r\n06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7\r\n\r\nb279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade\r\n\r\n7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7\r\n\r\n04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462\r\n\r\n090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98\r\n\r\n38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c\r\n\r\n2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\r\n\r\nHyperBro C2\r\n\r\nhxxps:\/\/185.12.45[.]134:443\/ajax\r\n\r\n185.12.45[.]134","publisher":{"@type":"Organization","@id":"#panworg"},"image":{"@type":"ImageObject","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/01_Nation-State-cyberattacks_1920x900-300x300.jpg","width":300,"height":300},"speakable":{"@type":"SpeakableSpecification","xPath":["\/html\/head\/title","\/html\/head\/meta[@name='description']\/@content"]},"author":[{"@type":"Person","name":"Robert Falcone"},{"@type":"Person","name":"Tom Lancaster"}]}</script><link rel='stylesheet' id='crayon-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=_2.7.2_beta' media='all' /> <style id='co-authors-plus-coauthors-style-inline-css'> .wp-block-co-authors-plus-coauthors.is-layout-flow [class*=wp-block-co-authors-plus]{display:inline} </style> <style id='co-authors-plus-avatar-style-inline-css'> .wp-block-co-authors-plus-avatar :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-avatar :where(img){vertical-align:middle}.wp-block-co-authors-plus-avatar:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-avatar.aligncenter{display:table;margin-inline:auto} </style> <style id='co-authors-plus-image-style-inline-css'> .wp-block-co-authors-plus-image{margin-bottom:0}.wp-block-co-authors-plus-image :where(img){height:auto;max-width:100%;vertical-align:bottom}.wp-block-co-authors-plus-coauthors.is-layout-flow .wp-block-co-authors-plus-image :where(img){vertical-align:middle}.wp-block-co-authors-plus-image:is(.alignfull,.alignwide) :where(img){width:100%}.wp-block-co-authors-plus-image:is(.alignleft,.alignright){display:table}.wp-block-co-authors-plus-image.aligncenter{display:table;margin-inline:auto} </style> <style id='safe-svg-svg-icon-style-inline-css'> .safe-svg-cover{text-align:center}.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%} </style> <style id='classic-theme-styles-inline-css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='post-views-counter-frontend-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/css/frontend.min.css?ver=1.4.7' media='all' /> <link rel='stylesheet' id='wpml-legacy-post-translations-0-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/templates/language-switchers/legacy-post-translations/style.min.css?ver=1' media='all' /> <link rel='stylesheet' id='unit42-v6-style-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/style.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-head-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/head-styles.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v5-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-plugin-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/plugin.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='unit42-v6-custom-styles-css' href='https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/css/main-redesign.css?ver=1.0.0' media='all' /> <link rel='stylesheet' id='like-dislike-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/css/ldc-lite.css?ver=1.0.0' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1" id="jquery-core-js"></script> <script src="https://unit42.paloaltonetworks.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1" id="jquery-migrate-js"></script> <script id="crayon_js-js-extra"> var CrayonSyntaxSettings = {"version":"_2.7.2_beta","is_admin":"0","ajaxurl":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""}; var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.min.js?ver=_2.7.2_beta" id="crayon_js-js"></script> <script id="post-views-counter-frontend-js-before"> var pvcArgsFrontend = {"mode":"js","postID":96976,"requestURL":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","nonce":"691fc8ec48","dataStorage":"cookies","multisite":false,"path":"\/","domain":""}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/post-views-counter/js/frontend.min.js?ver=1.4.7" id="post-views-counter-frontend-js"></script> <script id="wpml-xdomain-data-js-extra"> var wpml_xdomain_data = {"css_selector":"wpml-ls-item","ajax_url":"https:\/\/unit42.paloaltonetworks.com\/wp-admin\/admin-ajax.php","current_lang":"en","_nonce":"2e9b623da9"}; </script> <script src="https://unit42.paloaltonetworks.com/wp-content/plugins/sitepress-multilingual-cms/res/js/xdomain-data.js?ver=4.6.13" id="wpml-xdomain-data-js" defer data-wp-strategy="defer"></script> <link rel="https://api.w.org/" href="https://unit42.paloaltonetworks.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://unit42.paloaltonetworks.com/wp-json/wp/v2/posts/96976" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://unit42.paloaltonetworks.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.6.2" /> <link rel='shortlink' href='https://unit42.paloaltonetworks.com/?p=96976' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://unit42.paloaltonetworks.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F&#038;format=xml" /> <meta name="generator" content="WPML ver:4.6.13 stt:1,28;" /> <meta name="google-site-verification" content="zHZtYOWm9hm4SZgsH7wqiYcOwmsAsxDUDU4UD1QxB40" /><style>#wpdevart_lb_overlay{background-color:#000000;} #wpdevart_lb_overlay.wpdevart_opacity{opacity:0.8 !important;} #wpdevart_lb_main_desc{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ -webkit-transition: opacity 0.3s ease; -moz-transition: opacity 0.3s ease; -o-transition: opacity 0.3s ease; transition: opacity 0.3s ease;} #wpdevart_lb_information_content{ width:100%; padding-top:0px; padding-bottom:0px; } #wpdevart_info_counter_of_imgs{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_caption{ display: inline-block; padding-left:15px; padding-right:4px; font-size:20px; color:#000000; } #wpdevart_info_title{ display: inline-block; padding-left:5px; padding-right:5px; font-size:15px; color:#000000; } @-webkit-keyframes rotate { to {-webkit-transform: rotate(360deg);} from {-webkit-transform: rotate(0deg);} } @keyframes rotate { to {transform: rotate(360deg);} from {transform: rotate(0deg);} } #wpdevart_lb_loading_img,#wpdevart_lb_loading_img_first{ -webkit-animation: rotate 2s linear infinite; animation: rotate 2s linear infinite; } </style> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="32x32" /> <link rel="icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <meta name="msapplication-TileImage" content="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-Unit42-180x180-1.png" /> <script>var $ = jQuery;</script> <script type="text/javascript"> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {visibility:hidden !important}", 3000)); </script> <script src="https://assets.adobedtm.com/9273d4aedcd2/0d76ae0322d7/launch-425c423d843b.min.js" async></script> <script type="text/javascript" src="https://www.paloaltonetworks.com/content/dam/pan/en_US/includes/attribution.js"></script> <script type="text/javascript"> var isIE11 = !!navigator.userAgent.match(/Trident.*rv\:11\./); if(isIE11){ var polyfill = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/scripts/polyfill.min.js'; document.write('<script type="text/javascript" src="'+polyfill+'">\x3C/script>'); } /** * String.prototype.replaceAll() polyfill * https://gomakethings.com/how-to-replace-a-section-of-a-string-with-another-one-with-vanilla-js/ * @author Chris Ferdinandi * @license MIT */ if (!String.prototype.replaceAll) { String.prototype.replaceAll = function(str, newStr){ // If a regex pattern if (Object.prototype.toString.call(str).toLowerCase() === '[object regexp]') { return this.replace(str, newStr); } // If a string return this.replace(new RegExp(str, 'g'), newStr); }; } /*! lozad.js - v1.16.0 - 2020-09-06 */ !function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):t.lozad=e()}(this,function(){"use strict"; /** * Detect IE browser * @const {boolean} * @private */var g="undefined"!=typeof document&&document.documentMode,f={rootMargin:"0px",threshold:0,load:function(t){if("picture"===t.nodeName.toLowerCase()){var e=t.querySelector("img"),r=!1;null===e&&(e=document.createElement("img"),r=!0),g&&t.getAttribute("data-iesrc")&&(e.src=t.getAttribute("data-iesrc")),t.getAttribute("data-alt")&&(e.alt=t.getAttribute("data-alt")),r&&t.append(e)}if("video"===t.nodeName.toLowerCase()&&!t.getAttribute("data-src")&&t.children){for(var a=t.children,o=void 0,i=0;i<=a.length-1;i++)(o=a[i].getAttribute("data-src"))&&(a[i].src=o);t.load()}t.getAttribute("data-poster")&&(t.poster=t.getAttribute("data-poster")),t.getAttribute("data-src")&&(t.src=t.getAttribute("data-src")),t.getAttribute("data-srcset")&&t.setAttribute("srcset",t.getAttribute("data-srcset"));var n=",";if(t.getAttribute("data-background-delimiter")&&(n=t.getAttribute("data-background-delimiter")),t.getAttribute("data-background-image"))t.style.backgroundImage="url('"+t.getAttribute("data-background-image").split(n).join("'),url('")+"')";else if(t.getAttribute("data-background-image-set")){var d=t.getAttribute("data-background-image-set").split(n),u=d[0].substr(0,d[0].indexOf(" "))||d[0];// Substring before ... 1x u=-1===u.indexOf("url(")?"url("+u+")":u,1===d.length?t.style.backgroundImage=u:t.setAttribute("style",(t.getAttribute("style")||"")+"background-image: "+u+"; background-image: -webkit-image-set("+d+"); background-image: image-set("+d+")")}t.getAttribute("data-toggle-class")&&t.classList.toggle(t.getAttribute("data-toggle-class"))},loaded:function(){}};function A(t){t.setAttribute("data-loaded",!0)}var m=function(t){return"true"===t.getAttribute("data-loaded")},v=function(t){var e=1<arguments.length&&void 0!==arguments[1]?arguments[1]:document;return t instanceof Element?[t]:t instanceof NodeList?t:e.querySelectorAll(t)};return function(){var r,a,o=0<arguments.length&&void 0!==arguments[0]?arguments[0]:".lozad",t=1<arguments.length&&void 0!==arguments[1]?arguments[1]:{},e=Object.assign({},f,t),i=e.root,n=e.rootMargin,d=e.threshold,u=e.load,g=e.loaded,s=void 0;"undefined"!=typeof window&&window.IntersectionObserver&&(s=new IntersectionObserver((r=u,a=g,function(t,e){t.forEach(function(t){(0<t.intersectionRatio||t.isIntersecting)&&(e.unobserve(t.target),m(t.target)||(r(t.target),A(t.target),a(t.target)))})}),{root:i,rootMargin:n,threshold:d}));for(var c,l=v(o,i),b=0;b<l.length;b++)(c=l[b]).getAttribute("data-placeholder-background")&&(c.style.background=c.getAttribute("data-placeholder-background"));return{observe:function(){for(var t=v(o,i),e=0;e<t.length;e++)m(t[e])||(s?s.observe(t[e]):(u(t[e]),A(t[e]),g(t[e])))},triggerLoad:function(t){m(t)||(u(t),A(t),g(t))},observer:s}}}); </script> <!-- <script src="https://www.google.com/recaptcha/api.js"></script> --> <!-- End: Scripts Migrated From Unit42-v5 --> </head> <body class="post-template-default single single-post postid-96976 single-format-standard no-sidebar"> <header class="haeder py-15 position-relative z-index-2" style="display: none;"> <div class="container px-sm-30 px-35"> <div class="row"> <div class="first-logo col-sm-auto col-6 mb-sm-0 mb-40 text-sm-center order-1"> <a href="https://www.paloaltonetworks.com/"> <img src="/wp-content/uploads/2021/07/PANW_Parent.png" width="140px" alt="Logo" /> </a> </div> <div class="col-sm-auto col-6 text-sm-center order-sm-2 order-4 second-logo-unit"> <a href="https://unit42.paloaltonetworks.com/"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/unit42-logo-white.svg" class="attachment-full size-full" alt="Unit42 Logo" width="150" height="35"/> </a> </div> <div class="col-auto d-sm-none ml-auto mb-40 order-2"> <button class="btn__search" data-toggle="collapse" data-target="#search" aria-label="search"><i class="ui ui-1"></i></button> </div> <div id="search" class="collapse d-sm-block col-sm-auto col-12 ml-auto order-3"> <div class="pt-sm-0 pt-20 pb-sm-0 pb-40 mt-sm-0 mt-n30"> <input type="search" placeholder="Search Unit 42" id="innerSearch" class="header__search" value="" required aria-label="Inner Search"> </div> </div> <div class="col-auto d-sm-none d-flex ml-auto align-items-center order-5"> <button class="btn__menu rounded" data-toggle="collapse" data-target="#navigation">Menu</button> </div> </div> </div> </header> <nav id="navigation" class="site-nav collapse d-sm-block pb-20 mt-sm-10" style="display: none!important;"> <div class="container px-sm-30"> <ul id="menu-primary-navigation" class="main-menu d-sm-flex font-weight-medium"><li id="menu-item-97290" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-97290"><a href="https://unit42.paloaltonetworks.com/tools/">Tools</a></li> <li id="menu-item-41" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-41"><a href="https://unit42.paloaltonetworks.com/atoms/">ATOMs</a></li> <li id="menu-item-119884" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-119884"><a target="_blank" rel="noopener" href="https://www.paloaltonetworks.com/unit42">Security Consulting</a></li> <li id="menu-item-81229" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-81229"><a href="https://unit42.paloaltonetworks.com/about-unit-42/">About Us</a></li> <li id="menu-item-121229" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-121229"><a href="https://start.paloaltonetworks.com/contact-unit42.html"><b style="color:#C84727">Under Attack?</b></a></li> </ul> </div> </nav> <div class="panClean pan-template-home" id="main-nav-menu-cont" style="display:none;"> <div class="cleanHeader mainNavigationComp baseComponent parbase"> <div class="productNav2021Component dark default" id="PAN_2021_NAV_ASYNC"> </div> </div> <div class="cleanTopHtml htmlComp baseComponent parbase"><div class="base-component-spacer spacer-none "></div> </div> </div> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> function getCookie(cname) { var name = cname + "="; var decodedCookie = decodeURIComponent(document.cookie); var ca = decodedCookie.split(';'); for(var i = 0; i <ca.length; i++) { var c = ca[i]; while (c.charAt(0) == ' ') { c = c.substring(1); } if (c.indexOf(name) == 0) { return c.substring(name.length, c.length); } } return ""; } var referer = "";//sessionStorage.container; var pcontainer = sessionStorage.getItem("container"); var searchResultsPagePath = ""; if(((pcontainer) && pcontainer.indexOf('Prisma')!=-1)){ referer = 'Prisma' ; } else if(((pcontainer) && pcontainer.indexOf('Cortex')!=-1)){ referer = 'Cortex' ; } else if(((pcontainer) && pcontainer.indexOf('Sase')!=-1)){ referer = 'Sase' ; } else if(((pcontainer) && pcontainer.indexOf('Unit')!=-1)){ referer = 'Unit' ; } else if(((pcontainer) && pcontainer.indexOf('Ngfw')!=-1)){ referer = 'Ngfw' ; } var fromRef = document.referrer; var nContainer = getCookie("navContainer"); if(nContainer){//If user is coming from main site, we need to reset the container if(fromRef && fromRef.indexOf("prismacloud.io")!=-1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } else if(fromRef.indexOf("paloaltonetworks.com")!=-1 || fromRef.indexOf("paloaltonetworks.jp")!=-1 ){ if(nContainer.indexOf('Prisma') != -1){ referer = 'Prisma' ; sessionStorage.setItem("container","Prisma"); } if(nContainer.indexOf('Cortex') != -1){ referer = 'Cortex' ; sessionStorage.setItem("container","Cortex"); } if(nContainer.indexOf('Sase') != -1){ referer = 'Sase' ; sessionStorage.setItem("container","Sase"); } if(nContainer.indexOf('Unit') != -1){ referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } if(nContainer.indexOf('Ngfw') != -1){ referer = 'Ngfw' ; sessionStorage.setItem("container","Ngfw"); } document.cookie = 'navContainer=; path=/; domain=.paloaltonetworks.com; expires=' + new Date(0).toUTCString(); } } if(referer != "Prisma" && referer != "Cortex" && referer != "Sase" && referer != "Unit" && referer != "Ngfw") { referer = 'Unit' ; sessionStorage.setItem("container","Unit"); } function callMainSitePrismaNavHTML(){ var referrer_domain = 'https://www.paloaltonetworks.com'; sessionStorage.setItem("domain",referrer_domain); if(referer == 'Prisma'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html'; searchResultsPagePath = referrer_domain+"/search/prismasearch"; } if(referer == 'Cortex'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderCortex.cortexRenderer.html'; searchResultsPagePath = referrer_domain+"/search/cortexsearch"; } if(referer == 'Sase'){ var menu_url = referrer_domain+'/_jcr_content/globals/cleanHeaderSase.saseRenderer.html'; searchResultsPagePath = referrer_domain+"/search/sasesearch"; } if(referer == 'Unit'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/unit-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/content/pan/en_US/search/unit42search"; } if(referer == 'Ngfw'){ var menu_url = 'https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/ngfw-cdss-nav-renderer.php'; searchResultsPagePath = referrer_domain+"/search/ngfwcdsssearch"; } httpGet(menu_url,'menu_html'); document.getElementById('main-nav-menu-cont').removeAttribute("style"); } function addStyle(styles) { /* Create style document */ var css = document.createElement('style'); css.type = 'text/css'; if (css.styleSheet) css.styleSheet.cssText = styles; else css.appendChild(document.createTextNode(styles)); /* Append style to the tag name */ document.getElementsByTagName("head")[0].appendChild(css); } function httpGet(theUrl,req_type) { if (window.XMLHttpRequest) { // code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if(req_type == 'menu_html'){ var nav_text = xmlhttp.responseText.replaceAll('https://static.cloud.coveo.com/searchui/v2.9159/js/CoveoJsSearch.Lazy.min.js', ''); nav_text = nav_text.replaceAll('src="/', 'src="'+maindomain_lang+'/'); nav_text = nav_text.replaceAll("'/content", "'"+maindomain_lang+"/content"); document.getElementById("PAN_2021_NAV_ASYNC").innerHTML = nav_text.replaceAll('href="/', 'href="'+maindomain_lang+'/'); var lozad_back = document.getElementsByClassName('lozad-background'); Array.prototype.forEach.call(lozad_back, function(el) { // Do stuff here var el_back_img_path = el.getAttribute('data-background-image'); var first_pos = el_back_img_path.indexOf("'"); var last_pos = el_back_img_path.indexOf("'",first_pos+1); el_back_img_path = el_back_img_path.substring(first_pos+1,last_pos); el.setAttribute("data-background-image",main_site_url+el_back_img_path); }); } if(req_type == 'head_inline_css'){ addStyle(xmlhttp.responseText); } } } xmlhttp.open("GET", theUrl, true ); xmlhttp.send(); } if(referer == 'Prisma' || referer == 'Cortex' || referer == 'Sase' || referer == 'Unit' || referer == 'Ngfw'){ const article = document.querySelector('#PAN_2021_NAV_ASYNC'); if(referer == 'Prisma'){ article.dataset.type = 'prisma'; $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } else if(referer == 'Cortex'){ article.dataset.type = 'cortex'; } else if(referer == 'Sase'){ article.dataset.type = 'sase'; } else if(referer == 'Unit'){ article.dataset.type = 'unit'; } else if(referer == 'Ngfw'){ article.dataset.type = 'ngfw'; } //set class to default if(referer == 'Unit' || referer == 'Ngfw'){ $('#PAN_2021_NAV_ASYNC').removeClass('default').addClass('defaultRedesigned'); } callMainSitePrismaNavHTML(); } </script> <!-- End: Scripts Migrated From Unit42-v5 --> <main class="main"> <section class="section section--article"> <div class="pa article-banner" style="background-image:url('https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/01_Nation-State-cyberattacks_1920x900.jpg')"> <div class="l-container"> <div class="l-breadcrumbs"> <ul> <li> <a href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:breadcrumb:Threat Research">Threat Research Center</a></li><li><a href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" title="Threat Actor Groups" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:breadcrumb:Threat Actor Groups">Threat Actor Groups</a></li><li class="is-current"><a href="https://unit42.paloaltonetworks.com/category/nation-state-cyberattacks/" role="link" title="Nation-State Cyberattacks" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:breadcrumb:Nation-State Cyberattacks">Nation-State Cyberattacks</a></li> </ul> </div> <div class="ab__title"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/nation-state-cyberattacks/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Nation-State Cyberattacks"><span class="ab-title__pre">Nation-State Cyberattacks</span></a> <h1>Emissary Panda Attacks Middle East Government SharePoint Servers</h1> <div class="ab__video"> <span class="duration"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-clock.svg" alt="Clock Icon"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 13</span> <span class="rt-label rt-postfix"></span></span> min read </span> </div> <div class="ab-lc__wrapper"> <span class="ab-title__pre">Related Products</span><div class="ab__link-cards"><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/advanced-threat-prevention/" style="--card-color: #ffcb06" role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Advanced Threat Prevention"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Advanced Threat Prevention icon">Advanced Threat Prevention</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/advanced-wildfire/" style="--card-color: #ffcb06" role="link" title="Advanced WildFire" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Advanced WildFire"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/strata_RGB_logo_Icon_Color.png" alt="Advanced WildFire icon">Advanced WildFire</a><a class="l-linkcard is-blue" href="https://unit42.paloaltonetworks.com/product-category/cortex-xdr/" style="--card-color: #00cc66" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Cortex XDR"><img src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/cortex_RGB_logo_Icon_Color.png" alt="Cortex XDR icon">Cortex XDR</a></div> </div> </div> </div> <div class="ab__footer"> <div class="l-container"> <div class="ab__footer-wrapper"> <ul class="ab__features" role="list"> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-profile-grey.svg" alt="Profile Icon"> <div class="ab__text"><span>By:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Robert Falcone" href="https://unit42.paloaltonetworks.com/author/robertfalcone/">Robert Falcone</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Tom Lancaster" href="https://unit42.paloaltonetworks.com/author/tom-lancaster/">Tom Lancaster</a></li></ul></div></li> <li role="listitem"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-calendar-grey.svg" alt="Published Icon"> <div class="ab__text"><span>Published:</span>May 28, 2019</div></li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-category.svg" alt="Tags Icon"><div class="ab__text"><span>Categories:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Malware" href="https://unit42.paloaltonetworks.com/category/malware/">Malware</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Nation-State Cyberattacks" href="https://unit42.paloaltonetworks.com/category/nation-state-cyberattacks/">Nation-State Cyberattacks</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Threat Actor Groups" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/">Threat Actor Groups</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Threat Research" href="https://unit42.paloaltonetworks.com/category/threat-research/">Threat Research</a></li></ul></div> </li> <li role="listitem"><img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-tags-grey.svg" alt="Tags Icon"><div class="ab__text"><span>Tags:</span><ul class="ab__tags"><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:APT27" href="https://unit42.paloaltonetworks.com/tag/apt27/">APT27</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Bronze Union" href="https://unit42.paloaltonetworks.com/tag/bronze-union/">Bronze Union</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:China Chopper" href="https://unit42.paloaltonetworks.com/tag/china-chopper/">China Chopper</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:CVE-2019-0604" href="https://unit42.paloaltonetworks.com/tag/cve-2019-0604/">CVE-2019-0604</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:DLL Sideloading" href="https://unit42.paloaltonetworks.com/tag/dll-sideloading/">DLL Sideloading</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Emissary Panda" href="https://unit42.paloaltonetworks.com/tag/emissary-panda/">Emissary Panda</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:ETERNALBLUE" href="https://unit42.paloaltonetworks.com/tag/eternalblue/">ETERNALBLUE</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:HyperBro" href="https://unit42.paloaltonetworks.com/tag/hyperbro/">HyperBro</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:Lucky Mouse" href="https://unit42.paloaltonetworks.com/tag/lucky-mouse/">Lucky Mouse</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:MS17-010" href="https://unit42.paloaltonetworks.com/tag/ms17-010/">MS17-010</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:TG-3390" href="https://unit42.paloaltonetworks.com/tag/tg-3390/">TG-3390</a></li><li><a data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:webshell" href="https://unit42.paloaltonetworks.com/tag/webshell/">Webshell</a></li></ul></div> </li> </ul> <div class="ab__options"> <ul role="list"> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/?pdf=download&#038;lg=en&#038;_wpnonce=b771331377" role="link" target="_blank" title="Click here to download" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:pdfdownload"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-download.svg" alt="Download Icon"></a></li> <li role="listitem"><a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/?pdf=print&#038;lg=en&#038;_wpnonce=b771331377" target="_blank" role="link" title="Click here to print" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:hero:pdfprint"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-print.svg" alt="Print Icon"></a></li> </ul> <div class="ab__share" id="shareDropdown" role="button" aria-expanded="false"> <a href="#" role="link" title="Click here to share" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share" class="">Share<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"></a><ul class="share-dropdown" role="menu"> <li role="menuitem"> <a href="#" class="copy-url" id="copyUrl" data-url="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" role="link" title="Copy link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:link"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-share-link.svg" alt="Link Icon"></a> </li> <li role="menuitem"> <a href="mailto:?subject=Emissary%20Panda%20Attacks%20Middle%20East%20Government%20SharePoint%20Servers&#038;body=Check%20out%20this%20article%20https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F" role="link" title="Share in email" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:email"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-sms.svg" alt="Link Email"></a> </li> <li role="menuitem"> <a href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F" target="_blank" role="link" title="Share in Facebook" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:facebook"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-fb-share.svg" alt="Facebook Icon"></a> </li> <li role="menuitem"> <a href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F&#038;title=Emissary%20Panda%20Attacks%20Middle%20East%20Government%20SharePoint%20Servers" target="_blank" role="link" title="Share in LinkedIn" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:linkedin"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-linkedin-share.svg" alt="LinkedIn Icon"></a> </li> <li role="menuitem"> <a href="https://twitter.com/intent/tweet?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F&#038;text=Emissary%20Panda%20Attacks%20Middle%20East%20Government%20SharePoint%20Servers" target="_blank" role="link" title="Share in Twitter" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:twitter"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-twitter-share.svg" alt="Twitter Icon"></a> </li> <li role="menuitem"> <a href="//www.reddit.com/submit?url=https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F" target="_blank" role="link" title="Share in Reddit" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:reddit"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-reddit-share.svg" alt="Reddit Icon"></a> </li> <li role="menuitem"> <a href="https://mastodon.social/share?text=Emissary%20Panda%20Attacks%20Middle%20East%20Government%20SharePoint%20Servers%20https%3A%2F%2Funit42.paloaltonetworks.com%2Femissary-panda-attacks-middle-east-government-sharepoint-servers%2F" target="_blank" role="link" title="Share in Mastodon" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:share:mastodon"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-mastodon-share.svg" alt="Mastodon Icon"></a> </li> </ul> </div> </div> </div> </div> </div> </div> </section> <section class="section blog-contents"> <div class="pa blog-editor"> <div class="l-container"> <div class="be__wrapper"> <div class="be__contents"> <div class="be__contents-wrapper"> <p class="wpml-ls-statics-post_translations wpml-ls">This post is also available in: <span class="wpml-ls-slot-post_translations wpml-ls-item wpml-ls-item-ja wpml-ls-first-item wpml-ls-last-item wpml-ls-item-legacy-post-translations"><a href="https://unit42.paloaltonetworks.jp/emissary-panda-attacks-middle-east-government-sharepoint-servers/" class="wpml-ls-link"><span class="wpml-ls-native" lang="ja">日本語</span><span class="wpml-ls-display"><span class="wpml-ls-bracket"> (</span>Japanese<span class="wpml-ls-bracket">)</span></span></a></span></p><p><span style="font-weight: 400; font-size: 18pt;">Executive Summary</span></p> <p><span style="font-weight: 400;">In April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group installing webshells on SharePoint servers to compromise Government Organizations of two different countries in the Middle East. We believe the adversary exploited a recently </span><a href="https://support.microsoft.com/en-us/help/4462211/description-of-the-security-update-for-sharepoint-enterprise-server"><span style="font-weight: 400;">patched</span></a><span style="font-weight: 400;"> vulnerability in Microsoft SharePoint tracked by </span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0604"><span style="font-weight: 400;">CVE-2019-0604</span></a><span style="font-weight: 400;">, which is a remote code execution vulnerability used to compromise the server and eventually install a webshell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is their use of tools to identify systems vulnerable to </span><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144"><span style="font-weight: 400;">CVE-2017-0144</span></a><span style="font-weight: 400;">, which is the same vulnerability exploited by EternalBlue that is best known for its use in the WannaCry attacks of 2017.</span></p> <p><span style="font-weight: 400;">This activity appears related to campaigns exploiting CVE-2019-0604 mentioned in recent security alerts from </span><a href="https://www.ncsc.gov.sa/wps/portal/ncsc/home/Alerts/!ut/p/z1/lVLRboJAEPwaH8kud-cBj2elYKkxYgpyLwYR67VyaEts-_c9apM2aYS6T3PJ3O7szIKEJUidn9Rj3qha53vzziRf2fbYDUmA9zMnGqMYzRe3QxpQMUVIQIIsdHNodpDp4rXYq_UAWzDAXV2VZ7xq4arULflQqA1khBPGiyGxkOWOxYiXW57tEWvLGS9dToi33kD6NR0njIU2I9EsRkRBkzCk7o2NAQX5W5w7cgTOEZOJmER0HvHv_x0E2b1cz3zyv_l4oQReqf-vQNndfmEcvzuTLntoIlZPx6MUJsdaN-V7A8v-INM2yh5z-uRlZj3nZ70g8bjpEDt-Evt0ljBIT6p8gwddv1TmFhdXXk-IcKgql34oU1aQWs_bqU_ZJ0-OxIA!/dz/d5/L2dBISEvZ0FBIS9nQSEh/#collapseOne1"><span style="font-weight: 400;">Saudi Arabian National Cyber Security Center</span></a><span style="font-weight: 400;"> and the </span><a href="https://cyber.gc.ca/en/alerts/china-chopper-malware-affecting-sharepoint-servers"><span style="font-weight: 400;">Canadian Center for Cyber Security</span></a><span style="font-weight: 400;">. In addition to the aforementioned post-exploitation tools, the actors used these webshells to upload legitimate executables that they would use DLL sideloading to run a malicious DLL that has code overlaps with known </span><a href="https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/"><span style="font-weight: 400;">Emissary Panda attacks</span></a><span style="font-weight: 400;">. We also found the China Chopper webshell on the SharePoint servers, which has also been used by the Emissary Panda threat group.</span></p> <p><span style="font-weight: 400;">In this blog, we provide details of the tools and tactics we observed on these compromised SharePoint servers, explain how we believe these connect to the Emissary Panda threat group, correlate our findings with those of the Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security, and provide indicators of compromise (IoCs) from our research. You can find the Adversary Playbook for the activity detailed in this blog <a href="https://pan-unit42.github.io/playbook_viewer/">here</a>.</span></p> <p><span style="font-weight: 400; font-size: 18pt;">Attack Overview</span></p> <p><span style="font-weight: 400;">This webshell activity took place across three SharePoint servers hosted by two different government organizations between April 1, 2019 and April 16, 2019, where actors uploaded a total of 24 unique executables across the three SharePoint servers. </span><span style="font-weight: 400;">Figure 1</span><span style="font-weight: 400;"> shows a timeline of when the files were uploaded to the three webshells. The timeline shows three main clusters of activity across the three webshells, with activity occurring on two separate webshells (green and orange) within a very small window of time on April 2, 2019 and the activity involving the third webshell two weeks later on April 16, 2019. The actors uploaded several of the same tools to across these three webshells, which provides a relationship between the incidents and indicates that a single threat group is likely involved.</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1.png" rel="wpdevart_lightbox"><img class="alignnone size-full wp-image-97003 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1.png" alt="" width="1490" height="556" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1.png 1490w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1-300x112.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1-768x287.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1-1024x382.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1-900x336.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image7-1-370x138.png 370w" sizes="(max-width: 1490px) 100vw, 1490px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 1. Timeline of file uploads across three related webshells</span></i></span></p> <p><span style="font-weight: 400;">The tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as Mimikatz. The threat actors also uploaded tools to scan for and exploit potential vulnerabilities in the network, such as the well-known SMB vulnerability patched in </span><a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010"><span style="font-weight: 400;">MS17-010</span></a><span style="font-weight: 400;"> commonly exploited by EternalBlue to move laterally to other systems on the network. We also observed the actors uploading custom backdoors such as </span><a href="https://securelist.com/luckymouse-hits-national-data-center/86083/"><span style="font-weight: 400;">HyperBro which is commonly associated with Emissary Panda</span></a><span style="font-weight: 400;">. Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors breach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities. </span></p> <p><span style="font-weight: 400; font-size: 18pt;">Webshells Installed</span></p> <p><span style="font-weight: 400;">As previously mentioned, we found webshells installed on three SharePoint servers hosted at two different organizations, two of which had the same file name of </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">errr.aspx</span><span style="font-weight: 400;"> and the other a filename of</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;"> error2.aspx</span><span style="font-weight: 400;">. The webshells were hosted at the following paths on the compromised servers:</span></p> <p><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">/_layouts/15/error2.aspx</span></p> <p><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">/_layouts/15/errr.aspx</span></p> <p><span style="font-weight: 400;">We were able to gather one of the webshells with which we saw the actor interacting, specifically the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">error2.aspx</span><span style="font-weight: 400;"> file listed above. The </span><span style="font-weight: 400;">error2.aspx</span><span style="font-weight: 400;"> file (SHA256: </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38</span><span style="font-weight: 400;">) is a variant of the </span><a href="https://www.labofapenetrationtester.com/2014/06/introducing-antak.html"><span style="font-weight: 400;">Antak webshell</span></a><span style="font-weight: 400;">, which is part of a tool created for red teaming called </span><a href="https://github.com/samratashok/nishang"><span style="font-weight: 400;">Nishang</span></a><span style="font-weight: 400;">. The specific variant of Antak in </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">error2.aspx</span><span style="font-weight: 400;"> is version v0.5.0, which is an older version of the webshell that was updated in August 2015 to v0.7.6 to include some basic authentication functionality and the ability to perform SQL queries. It’s possible the actors obtained Antak v0.5.0 via the </span><a href="https://github.com/samratashok/nishang"><span style="font-weight: 400;">Nishang GitHub repository</span></a><span style="font-weight: 400;"> or from </span><a href="https://github.com/SecWiki/WebShell-2/blob/master/Aspx/Antak%20Webshell.aspx"><span style="font-weight: 400;">SecWiki’s GitHub</span></a><span style="font-weight: 400;"> that also has the v0.5.0 version of Antak. </span><span style="font-weight: 400;">Figure 2 </span><span style="font-weight: 400;">shows the Antak webshell loaded on one of the Sharepoint servers. </span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96988 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8.png" alt="" width="1477" height="958" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8.png 1477w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8-300x195.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8-768x498.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8-1024x664.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8-900x584.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image8-370x240.png 370w" sizes="(max-width: 1477px) 100vw, 1477px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 2. Antak webshell ‘error2.aspx’ used to upload post-exploitation tools</span></i></span></p> <p><span style="font-weight: 400;">While we observed the threat actor uploading additional tools to the Antak webshell above, the Sharepoint server also had several other webshells installed. The additional webshells, specifically </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecs.aspx</span><span style="font-weight: 400;">, </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx, </span><span style="font-weight: 400;">and</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;"> test.aspx </span><span style="font-weight: 400;">are listed in </span><span style="font-weight: 400;">Table 1</span><span style="font-weight: 400;">, and appear related to the China Chopper webshell. We cannot be sure all of these webshells were installed by the same actors, as multiple actors could have exploited the SharePoint server. For instance, the China Chopper-related webshells are one-line of JScript code that could be easily copied and used by multiple groups, and the Antak webshell is easily obtained from publicly accessible repositories. However, the installation of China Chopper and the uploading of Emissary Panda related custom payloads to the Antak webshell suggests they are likely related, as this threat group has used</span><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"><span style="font-weight: 400;"> China Chopper to compromise servers in the past</span></a><span style="font-weight: 400;">.</span></p> <table> <tbody> <tr> <td style="width: 91px;"><b>Filename</b></td> <td style="width: 546px;"><b>SHA256</b></td> </tr> <tr> <td style="width: 91px;"><span style="font-weight: 400;">stylecs.aspx</span></td> <td style="width: 546px;"><span style="font-weight: 400;">2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86</span></td> </tr> <tr> <td style="width: 91px;"><span style="font-weight: 400;">stylecss.aspx</span></td> <td style="width: 546px;"><span style="font-weight: 400;">d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe</span></td> </tr> <tr> <td style="width: 91px;"><span style="font-weight: 400;">test.aspx</span></td> <td style="width: 546px;"><span style="font-weight: 400;">6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378</span></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 1. Additional webshells hosted on Sharepoint server</span></i></span></p> <p><span style="font-weight: 400;">The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecs.aspx</span><span style="font-weight: 400;"> webshell provides fairly significant functionality, as its developer wrote this webshell in JScript that ultimately runs any supplied JScript code provided to it within the HTTP request. </span><span style="font-weight: 400;">Figure 3</span><span style="font-weight: 400;"> shows this webshell’s code that will run supplied JScript provided in base64 encoded format within the URL within a parameter </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">e358efa489f58062f10dd7316b65649e</span><span style="font-weight: 400;">. The parameter </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">e358efa489f58062f10dd7316b65649e</span><span style="font-weight: 400;"> is interesting as it is the MD5 hash for the letter ‘t’, which is a known parameter for China Chopper as mentioned in the next section.</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image9.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96989 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image9.png" alt="" width="664" height="36" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image9.png 664w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image9-300x16.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image9-370x20.png 370w" sizes="(max-width: 664px) 100vw, 664px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 3. China Chopper code found in </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">stylecs.aspx</span></i></span><i><span style="font-weight: 400;"> webshell on SharePoint server</span></i></span></p> <p><span style="font-weight: 400;">The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> webshell is very similar to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecs.aspx</span><span style="font-weight: 400;">, as it runs JScript provided within the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">e358efa489f58062f10dd7316b65649e</span><span style="font-weight: 400;"> parameter of the URL; however, the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> webshell does not accept base64 encoded JScript, but expects the JScript in cleartext that the actor would provide as URL safe text. </span><span style="font-weight: 400;">Figure 4 </span><span style="font-weight: 400;">shows the code within </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;">, which when compared to</span><span style="font-weight: 400;"> Figure 3</span><span style="font-weight: 400;"> above shows the lack of the base64 decoding function ‘FromBase64String’.</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image1.png" rel="wpdevart_lightbox"><img class="alignnone size-full wp-image-96982 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image1.png" alt="" width="682" height="22" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image1.png 682w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image1-300x10.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image1-370x12.png 370w" sizes="(max-width: 682px) 100vw, 682px" /></a><br /> <span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 4. China Chopper code found in </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">stylecss.aspx</span></i></span><i><span style="font-weight: 400;"> webshell on SharePoint server</span></i></span></p> <p><span style="font-weight: 400;">The last webshell extracted from the Sharepoint server had a filename of </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">test.aspx</span><span style="font-weight: 400;">, which is very similar to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecs.aspx </span><span style="font-weight: 400;">webshell as it runs base64 encoded JScript provided in the URL of the request. However, the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">test.aspx</span><span style="font-weight: 400;"> webshell uses a parameter related to the compromised organization to obtain the base64 encoded JScript that it will run and display within the browser. The</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;"> test.aspx</span><span style="font-weight: 400;"> shell also includes code that sets the HTTP response status to a </span><span style="font-weight: 400;">404 Not Found</span><span style="font-weight: 400;">, which will display an error page but will still run the provided JScript. </span><span style="font-weight: 400;">Figure 5</span><span style="font-weight: 400;"> shows the code within the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">test.aspx</span><span style="font-weight: 400;"> file. </span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image3.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96983 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image3.png" alt="" width="720" height="35" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image3.png 720w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image3-300x15.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image3-370x18.png 370w" sizes="(max-width: 720px) 100vw, 720px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 5. China Chopper code found in </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">test.aspx</span></i></span><i><span style="font-weight: 400;"> webshell on SharePoint server</span></i></span></p> <p><span style="font-weight: 400; font-size: 18pt;">Links to Security Advisories</span></p> <p><span style="font-weight: 400;">In April 2019, several national security organizations released alerts on CVE-2019-0604 exploitation, including the</span><a href="https://www.ncsc.gov.sa/wps/portal/ncsc/home/Alerts/!ut/p/z1/lVLRboJAEPwaH8kud-cBj2elYKkxYgpyLwYR67VyaEts-_c9apM2aYS6T3PJ3O7szIKEJUidn9Rj3qha53vzziRf2fbYDUmA9zMnGqMYzRe3QxpQMUVIQIIsdHNodpDp4rXYq_UAWzDAXV2VZ7xq4arULflQqA1khBPGiyGxkOWOxYiXW57tEWvLGS9dToi33kD6NR0njIU2I9EsRkRBkzCk7o2NAQX5W5w7cgTOEZOJmER0HvHv_x0E2b1cz3zyv_l4oQReqf-vQNndfmEcvzuTLntoIlZPx6MUJsdaN-V7A8v-INM2yh5z-uRlZj3nZ70g8bjpEDt-Evt0ljBIT6p8gwddv1TmFhdXXk-IcKgql34oU1aQWs_bqU_ZJ0-OxIA!/dz/d5/L2dBISEvZ0FBIS9nQSEh/#collapseOne1"><span style="font-weight: 400;"> Saudi Arabian National Cyber Security Center</span></a><span style="font-weight: 400;"> and the </span><a href="https://cyber.gc.ca/en/alerts/china-chopper-malware-affecting-sharepoint-servers"><span style="font-weight: 400;">Canadian Center for Cyber Security</span></a><span style="font-weight: 400;">. Both of these alerts discussed campaigns in which actors used the CVE-2019-0604 to exploit SharePoint servers to install the China Chopper webshell. While we cannot confirm all of the claims made in these advisories, we noticed overlaps in the webshell code hosted on the compromised SharePoint servers we observed and the webshells mentioned in these advisories.</span></p> <p><span style="font-weight: 400;">The Saudi Arabian National Cyber Security Center’s alert provided details regarding the activities carried out by the adversary. This alert also displayed the code associated with the China Chopper webshell observed in the attacks, which included </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">Request.Item["t"] </span><span style="font-weight: 400;">to obtain JScript code from the ‘t’ parameter of the URL. As mentioned in the previous section, </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecs.aspx</span><span style="font-weight: 400;"> and </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> both used a parameter of </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">e358efa489f58062f10dd7316b65649e</span><span style="font-weight: 400;">, which is the MD5 hash of ‘t’. This may suggest the actor modified the script slightly between the attack we observed, and the attack mentioned in the NCSC advisory, all while retaining the same functionality. Also, the NCSC advisory mentioned that the actors used a file name </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> for their webshell, which is the same filename we saw associated with China Chopper. </span></p> <p><span style="font-weight: 400;">The alert from the Canadian Center for Cyber Security included the SHA256 hashes of the files associated with the campaign, one of which was </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4</span><span style="font-weight: 400;"> for a file named </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">pay.aspx</span><span style="font-weight: 400;">. The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">pay.aspx</span><span style="font-weight: 400;"> file is part of the China Chopper webshell and is very similar to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> webshell we discussed above, with the only major difference is the URL parameter of ‘vuiHWNVJAEF’ within the URL that </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">pay.aspx</span><span style="font-weight: 400;"> webshell uses to obtain and run JScript. </span><span style="font-weight: 400;">Figure 6</span><span style="font-weight: 400;"> below shows a comparison between the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">stylecss.aspx</span><span style="font-weight: 400;"> and</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;"> pay.aspx </span><span style="font-weight: 400;">files.</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96981 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2.png" alt="" width="1273" height="89" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2.png 1273w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2-300x21.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2-768x54.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2-1024x72.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2-900x63.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image2-370x26.png 370w" sizes="(max-width: 1273px) 100vw, 1273px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 6. Comparison between </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">stylecss.aspx</span></i></span><i><span style="font-weight: 400;"> webshell and </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">pay.aspx</span></i></span><i><span style="font-weight: 400;"> webshell discussed in Canadian Center for Cyber Security advisory</span></i></span></p> <p><span style="font-weight: 400; font-size: 18pt;">Tools Uploaded</span></p> <p><span style="font-weight: 400;">During our research into this attack campaign, Unit 42 gathered several tools that the actor uploaded to the three webshells at the two government organizations. The chart in </span><span style="font-weight: 400;">Figure 7</span><span style="font-weight: 400;"> shows the same tools being uploaded to the webshells, which provided an initial linkage between the activities. One of the overlapping tools uploaded to the webshells is the legitimate cURL application, which could be used by multiple groups. The other overlapping files are tools used by the adversary to locate other systems on the network (</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">etool.exe</span><span style="font-weight: 400;">), check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010 (</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">checker1.exe</span><span style="font-weight: 400;">) and pivot to them using remote execution functionality offered by a tool similar to PsExec offered by </span><a href="https://github.com/SecureAuthCorp/impacket"><span style="font-weight: 400;">Impacket</span></a><span style="font-weight: 400;"> (</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">psexec.exe</span><span style="font-weight: 400;">). These tools are not custom made by the adversary but still provide a medium confidence linkage between the activities. We also observed the actors uploading the HyperBro backdoor to one of the webshells, as well as legitimate executables that would sideload malicious DLLs that have overlapping code associated with known Emissary Panda activity. </span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1.png" rel="wpdevart_lightbox"><img class="alignnone wp-image-97005 size-full lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1.png" alt="" width="3250" height="1390" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1.png 3250w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1-300x128.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1-768x328.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1-1024x438.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1-900x385.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image6-1-370x158.png 370w" sizes="(max-width: 3250px) 100vw, 3250px" /></a></p> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 7. Relationships between tools uploaded to the three webshells hosted on SharePoint servers</span></i></span></p> <p><span style="font-weight: 400;">The actors uploaded 10 portable executables to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">error2.aspx</span><span style="font-weight: 400;"> webshell, as seen in </span><span style="font-weight: 400;">Table 2. </span><span style="font-weight: 400;">The list of tools uploaded to this webshell includes legitimate applications, such as cURL and a component of Sublime Text used to sideload a malicious DLL, which we will discuss in an upcoming section. The list also includes several hack tools, such as Mimikatz for credential dumping and several compiled python scripts used to locate and compromise other systems on the local network. Lastly, we saw the actor uploading a custom backdoor called HyperBro, which has been associated with Emissary Panda operations in the past. We will provide an analysis of the HyperBro tool in an upcoming section. </span></p> <table> <tbody> <tr> <td><b>Filename</b></td> <td><b>SHA256</b></td> <td><b>Description</b></td> </tr> <tr> <td><span style="font-weight: 400;">m2.exe</span></td> <td><span style="font-weight: 400;">b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade</span></td> <td><span style="font-weight: 400;">Packed Mimikatz tool.</span></td> </tr> <tr> <td><span style="font-weight: 400;">psexec.exe</span></td> <td><span style="font-weight: 400;">7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py"><span style="font-weight: 400;">Impacket psexec</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">s.exe</span></td> <td><span style="font-weight: 400;">04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462</span></td> <td><span style="font-weight: 400;">HyperBro backdoor</span></td> </tr> <tr> <td><span style="font-weight: 400;">curl.exe</span></td> <td><span style="font-weight: 400;">abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d</span></td> <td><span style="font-weight: 400;">Legitimate cURL</span></td> </tr> <tr> <td><span style="font-weight: 400;">curl.exe</span></td> <td><span style="font-weight: 400;">bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab</span></td> <td><span style="font-weight: 400;">Legitimate cURL</span></td> </tr> <tr> <td><span style="font-weight: 400;">checker1.exe</span></td> <td><span style="font-weight: 400;">090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternalblue_checker.py"><span style="font-weight: 400;">EternalBlue checker script</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">etool.exe</span></td> <td><span style="font-weight: 400;">38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c</span></td> <td><span style="font-weight: 400;">C# Tool, likely from </span><a href="https://github.com/mubix/netview."><span style="font-weight: 400;">https://github.com/mubix/netview</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">plugin_host.exe</span></td> <td><span style="font-weight: 400;">738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711</span></td> <td><span style="font-weight: 400;">Legitimate Sublime Text plugin host</span></td> </tr> <tr> <td><span style="font-weight: 400;">PYTHON33.dll</span></td> <td><span style="font-weight: 400;">2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528</span></td> <td><span style="font-weight: 400;">Sideloaded DLL loaded by Sublime Text</span></td> </tr> <tr> <td><span style="font-weight: 400;">curl.exe</span></td> <td><span style="font-weight: 400;">bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab</span></td> <td><span style="font-weight: 400;">Legitimate cURL.</span></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 2. Unique tools uploaded to the </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">error2.aspx</span></i></span><i><span style="font-weight: 400;"> webshell installed on a SharePoint server</span></i></span></p> <p><span style="font-weight: 400;">We saw 17 tools uploaded to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">errr.aspx</span><span style="font-weight: 400;"> webshell hosted on the SharePoint server of one of the government organizations, which is in the middle of the chart in </span><span style="font-weight: 400;">Figure 7. Table 3</span><span style="font-weight: 400;"> shows all of the tools we observed the actor uploading to the webshell, which includes a list of tools used to dump credentials, locate, and exploit remote systems, as well as pivoting to other systems on the network. </span></p> <table> <tbody> <tr> <td><b>Filename</b></td> <td><b>SHA256</b></td> <td><b>Description</b></td> </tr> <tr> <td><span style="font-weight: 400;">smb1.exe</span></td> <td><span style="font-weight: 400;">88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd</span></td> <td><span style="font-weight: 400;">SMB backdoor based on </span><a href="https://github.com/abatchy17/WindowsExploits/blob/master/MS08-068/src/smbrelay3.cpp"><span style="font-weight: 400;">smbrelay3</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">mcmd.exe</span></td> <td><span style="font-weight: 400;">738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py"><span style="font-weight: 400;">zzz_exploit.py</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">mcafee.exe</span></td> <td><span style="font-weight: 400;">3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py"><span style="font-weight: 400;">zzz_exploit.py</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">dump.exe</span></td> <td><span style="font-weight: 400;">29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e</span></td> <td><span style="font-weight: 400;">pwdump</span></td> </tr> <tr> <td><span style="font-weight: 400;">checker1.exe</span></td> <td><span style="font-weight: 400;">d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333</span></td> <td><span style="font-weight: 400;">Compiled MS17-010 </span><a href="https://github.com/worawit/MS17-010/blob/master/checker.py"><span style="font-weight: 400;">checker</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">memory.exe</span></td> <td><span style="font-weight: 400;">a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5</span></td> <td><span style="font-weight: 400;">Packed Mimikatz</span></td> </tr> <tr> <td><span style="font-weight: 400;">checker.exe</span></td> <td><span style="font-weight: 400;">090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98</span></td> <td><span style="font-weight: 400;">Compiled MS17-010 </span><a href="https://github.com/worawit/MS17-010/blob/master/checker.py"><span style="font-weight: 400;">checker</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">psexec.exe</span></td> <td><span style="font-weight: 400;">7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py"><span style="font-weight: 400;">Impacket psexec</span></a><span style="font-weight: 400;">.</span></td> </tr> <tr> <td><span style="font-weight: 400;">etool.exe</span></td> <td><span style="font-weight: 400;">38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c</span></td> <td><span style="font-weight: 400;">C# Tool, likely from </span><a href="https://github.com/mubix/netview"><span style="font-weight: 400;">https://github.com/mubix/netview</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">smb.exe</span></td> <td><span style="font-weight: 400;">4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8</span></td> <td><span style="font-weight: 400;">SMB backdoor based on </span><a href="https://github.com/abatchy17/WindowsExploits/blob/master/MS08-068/src/smbrelay3.cpp"><span style="font-weight: 400;">smbrelay3</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">agent_Win32.exe</span></td> <td><span style="font-weight: 400;">b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9</span></td> <td><a href="https://klionsec.github.io/2017/11/02/termite/"><span style="font-weight: 400;">Termite</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">smb_exec.exe</span></td> <td><span style="font-weight: 400;">475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7</span></td> <td><a href="https://github.com/abatchy17/WindowsExploits/blob/master/MS08-068/src/httprelay.cpp"><span style="font-weight: 400;">httprelay</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">curl.exe</span></td> <td><span style="font-weight: 400;">bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab</span></td> <td><span style="font-weight: 400;">Legitimate cURL</span></td> </tr> <tr> <td><span style="font-weight: 400;">incognito.exe</span></td> <td><span style="font-weight: 400;">9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b</span></td> <td><a href="https://github.com/mwrlabs/incognito"><span style="font-weight: 400;">Incognito</span></a><span style="font-weight: 400;">  </span></td> </tr> <tr> <td><span style="font-weight: 400;">nbtscan.exe</span></td> <td><span style="font-weight: 400;">c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e</span></td> <td><span style="font-weight: 400;">nbtscan</span></td> </tr> <tr> <td><span style="font-weight: 400;">fgdump.exe</span></td> <td><span style="font-weight: 400;">a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86</span></td> <td><span style="font-weight: 400;">pwdump</span></td> </tr> <tr> <td><span style="font-weight: 400;">smbexec.exe</span></td> <td><span style="font-weight: 400;">e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee</span></td> <td><span style="font-weight: 400;">Compiled </span><a href="https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py"><span style="font-weight: 400;">Impacket smbexec</span></a></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 3. Unique tools uploaded to the </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">errr.aspx</span></i></span><i><span style="font-weight: 400;"> webshell installed on a SharePoint server</span></i></span></p> <p><span style="font-weight: 400;">Two of the tools, specifically the compiled </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">zzz_exploit.py</span><span style="font-weight: 400;"> and </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">checker.py</span><span style="font-weight: 400;"> suggest the actor would check and exploit remote systems if they were not patched for MS17-010, which patched the CVE-2017-0144 (EternalBlue) vulnerability. Also, the use of the Mimikatz and pwdump tools suggests the adversary attempts to dump credentials on compromised systems. We were able to gather the command line arguments the actor used to run the SMB backdoor </span><span style="font-weight: 400;">smb1.exe</span><span style="font-weight: 400;">. The following arguments shows the actor using the SMB backdoor to attempt to run a batch script </span><span style="font-weight: 400;">m.bat</span><span style="font-weight: 400;"> on a remote host using a domain username and the account’s password hash:</span></p> <p><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">c:\programdata\smb1.exe &lt;redacted 10.0.0.0/8 IP&gt; &lt;redacted domain&gt;\&lt;redacted username&gt; :&lt;redacted password hash&gt; winsk c:\programdata\m.bat</span></p> <p><span style="font-weight: 400;">We saw far fewer portable executable files uploaded to the second </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">errr.aspx</span><span style="font-weight: 400;"> webshell, specifically the 3 files seen in </span><span style="font-weight: 400;">Table 4</span><span style="font-weight: 400;">. The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">errr.aspx</span><span style="font-weight: 400;"> webshell. Also, we observed the actor uploading a legitimate Microsoft application that would sideload a malicious DLL, of which was very similar to the DLL sideloaded by the Sublime Text plugin host that was uploaded to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">error2.aspx</span><span style="font-weight: 400;"> webshell. </span></p> <table> <tbody> <tr> <td><b>Filename</b></td> <td><b>SHA256</b></td> <td><b>Description</b></td> </tr> <tr> <td><span style="font-weight: 400;">checker1.exe</span></td> <td><span style="font-weight: 400;">d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333</span></td> <td><span style="font-weight: 400;">Compiled MS17-010 </span><a href="https://github.com/worawit/MS17-010/blob/master/checker.py"><span style="font-weight: 400;">checker</span></a></td> </tr> <tr> <td><span style="font-weight: 400;">CreateMedia.exe</span></td> <td><span style="font-weight: 400;">2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088</span></td> <td><span style="font-weight: 400;">Legitimate CreateMedia.exe application from Microsoft's System Center 2012 Configuration Manager</span></td> </tr> <tr> <td><span style="font-weight: 400;">CreateTsMediaAdm.dll</span></td> <td><span style="font-weight: 400;">06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7</span></td> <td><span style="font-weight: 400;">Sideloaded DLL loaded by CreateMedia.exe</span></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 4. Unique tools uploaded to the </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">errr.aspx</span></i></span><i><span style="font-weight: 400;"> webshell installed on a SharePoint server</span></i></span></p> <p><span style="font-weight: 400; font-size: 18pt;">Emissary Panda Specific Tools</span></p> <p><span style="font-weight: 400;">Many of the tools uploaded to these webshells are hacking tools that are publicly accessible and could be used by multiple threat actors. However, several of the tools uploaded to the webshells appear to be custom made and likely related to the Emissary Panda threat group. </span></p> <p><span style="font-weight: 400; font-size: 14pt;">HyperBro</span></p> <p><span style="font-weight: 400;">The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">s.exe</span><span style="font-weight: 400;"> (SHA256: </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462</span><span style="font-weight: 400;">) uploaded to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">error2.aspx</span><span style="font-weight: 400;"> webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to </span><a href="https://securelist.com/luckymouse-hits-national-data-center/86083/"><span style="font-weight: 400;">Kaspersky</span></a><span style="font-weight: 400;"> and </span><a href="https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox"><span style="font-weight: 400;">SecureWorks</span></a><span style="font-weight: 400;"> research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky’s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named ‘thumb.db’. </span><span style="font-weight: 400;">Table 5</span><span style="font-weight: 400;"> shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky’s blog (SHA256 hashes: </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa</span><span style="font-weight: 400;"> and </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233</span><span style="font-weight: 400;">).</span></p> <p>&nbsp;</p> <table> <tbody> <tr> <td><b>Filename</b></td> <td><b>SHA256</b></td> <td><b>Description</b></td> </tr> <tr> <td><span style="font-weight: 400;">thinprobe.exe</span></td> <td><span style="font-weight: 400;">76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af</span></td> <td><span style="font-weight: 400;">Symantec pcAnywhere thinprobe application </span></td> </tr> <tr> <td><span style="font-weight: 400;">thinhostprobedll.dll </span></td> <td><span style="font-weight: 400;">d40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af</span></td> <td><span style="font-weight: 400;">Sideloaded DLL loaded by thinprobe.exe</span></td> </tr> <tr> <td><span style="font-weight: 400;">thumb.db</span></td> <td><span style="font-weight: 400;">270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530</span></td> <td><span style="font-weight: 400;">Contains encrypted and compressed DLL payload run by sideloaded DLL</span></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 5. Files associated with the HyperBro tool uploaded to webshell on SharePoint server</span></i></span></p> <p><span style="font-weight: 400;">The functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">-daemon</span><span style="font-weight: 400;"> or </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">-worker</span><span style="font-weight: 400;"> passed to it. The </span><span style="font-weight: 400;">daemon</span><span style="font-weight: 400;"> functionality handles the C2 communications portion of the Trojan, which is configured to communicate with </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">185.12.45[.]134 </span><span style="font-weight: 400;">over HTTPS using the following URL:</span></p> <p><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">hxxps://185.12.45[.]134:443/ajax</span></p> <p><span style="font-weight: 400;">The </span><span style="font-weight: 400;">worker</span><span style="font-weight: 400;"> functionality acts on the data received from the C2 server, which is passed from the </span><span style="font-weight: 400;">daemon</span><span style="font-weight: 400;"> to the </span><span style="font-weight: 400;">worker</span><span style="font-weight: 400;"> via a named pipe called "</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">\\.\pipe\testpipe</span><span style="font-weight: 400;">". The worker subjects the received data to a command handler whose available commands are listed in </span><span style="font-weight: 400;">Table 6</span><span style="font-weight: 400;">.  </span></p> <table> <tbody> <tr> <td><b>Command</b></td> <td><b>Sub-command</b></td> <td><b>Description</b></td> </tr> <tr> <td><span style="font-weight: 400;">0x12</span></td> <td></td> <td><span style="font-weight: 400;">File manager</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x10</span></td> <td><span style="font-weight: 400;">Enumerate logical storage volumes</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;"> 0x11</span></td> <td><span style="font-weight: 400;">Delete a specified file</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x12</span></td> <td><span style="font-weight: 400;">Upload a file</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x13</span></td> <td><span style="font-weight: 400;">Download a file</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x17</span></td> <td><span style="font-weight: 400;">List contents of a folder</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x19</span></td> <td><span style="font-weight: 400;">Run an application (CreateProcessW) or script/file (ShellExecuteW)</span></td> </tr> <tr> <td><span style="font-weight: 400;">0x13</span></td> <td></td> <td><span style="font-weight: 400;">Execute command on shell</span></td> </tr> <tr> <td><span style="font-weight: 400;">0x16</span></td> <td></td> <td><span style="font-weight: 400;">Takes screenshot</span></td> </tr> <tr> <td><span style="font-weight: 400;">0x19</span></td> <td></td> <td><span style="font-weight: 400;">Runs shellcode it injects into a newly created process 'msiexec.exe'</span></td> </tr> <tr> <td><span style="font-weight: 400;">0x1a</span></td> <td></td> <td><span style="font-weight: 400;">Kill specific process</span></td> </tr> <tr> <td><span style="font-weight: 400;">0x1e</span></td> <td></td> <td><span style="font-weight: 400;">Service manager</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x17</span></td> <td><span style="font-weight: 400;">List all services and their configurations</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x19</span></td> <td><span style="font-weight: 400;">Start a specified service</span></td> </tr> <tr> <td></td> <td><span style="font-weight: 400;">0x1a</span></td> <td><span style="font-weight: 400;">Stop a specified service</span></td> </tr> </tbody> </table> <p style="text-align: center;"><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Table 6. The commands available within the HyperBro tool’s command handler</span></i></span></p> <p><span style="font-weight: 400; font-size: 14pt;">Unknown Sideloaded Payloads</span></p> <p><span style="font-weight: 400;">Table 2 and 4</span><span style="font-weight: 400;"> above include two legitimate executables used for DLL sideloading, specifically the</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;"> plugin_host.exe</span><span style="font-weight: 400;"> application for Sublime Text and the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateMedia.exe</span><span style="font-weight: 400;"> application from Microsoft's System Center 2012 Configuration Manager. The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">plugin_host.exe</span><span style="font-weight: 400;"> application imports several functions from a library named </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">python33</span><span style="font-weight: 400;">, which is how the legitimate application sideloads the malicious DLL named </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.dll</span><span style="font-weight: 400;">. This is the first instance we have observed Sublime Text’s plugin host application used for sideloading. Like the plugin host application, the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateMedia.exe</span><span style="font-weight: 400;"> application imports several functions from a library named </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm</span><span style="font-weight: 400;"> that is leveraged to load the malicious DLL named </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm.dll</span><span style="font-weight: 400;">.</span></p> <p><span style="font-weight: 400;">The </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.dll</span><span style="font-weight: 400;"> and the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm.dll</span><span style="font-weight: 400;"> libraries are very similar with BinDiff providing a 97% similarity with 99% confidence between the two DLLs. The code diff in </span><span style="font-weight: 400;">Figure 8</span><span style="font-weight: 400;"> shows the decryption routine in </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.dll </span><span style="font-weight: 400;">(right) and </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm.dll </span><span style="font-weight: 400;">(left), both of which use an eight byte XOR key to decrypt a piece of </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">shikata_ga_nai </span><span style="font-weight: 400;">obfuscated</span><span style="font-weight: 400;"> shellcode. The shellcode is responsible for patching the entry point of the legitimate application to call another function in the shellcode that is responsible for loading a file with the library name with an <span style="font-family: 'courier new', courier, monospace;">.</span></span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">hlp</span><span style="font-weight: 400;"> extension (</span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.hlp</span><span style="font-weight: 400;"> or </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm.hlp</span><span style="font-weight: 400;">).</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96984 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4.png" alt="" width="1539" height="903" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4.png 1539w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4-300x176.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4-768x451.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4-1024x601.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4-900x528.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image4-370x217.png 370w" sizes="(max-width: 1539px) 100vw, 1539px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 8. Code comparison between the sideloaded </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">CreateTsMediaAdm.dll</span></i></span><i><span style="font-weight: 400;"> and </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">PYTHON33.dll </span></i></span><i><span style="font-weight: 400;">files uploaded to two webshells</span></i></span></p> <p><span style="font-weight: 400;">Unfortunately, we do not have access to the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.hlp</span><span style="font-weight: 400;"> or </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">CreateTsMediaAdm.hlp</span><span style="font-weight: 400;"> files, so we do not know the final payload loaded by either of these DLLs. However, using </span><a href="https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/"><span style="font-weight: 400;">NCC Group</span></a><span style="font-weight: 400;">’s research published in May 2018, we were able to discover code overlaps between these DLLs and a sideloaded DLL that ran the SysUpdate tool that the NCC group has associated with an Emissary Panda campaign. </span><span style="font-weight: 400;">Figure 9</span><span style="font-weight: 400;"> shows a code comparison between the </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">PYTHON33.dll</span><span style="font-weight: 400;"> (right) and </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">inicore_v2.3.30.dll</span><span style="font-weight: 400;"> (left) (SHA256: </span><span style="font-weight: 400; font-family: 'courier new', courier, monospace;">4d65d371a789aabe1beadcc10b38da1f998cd3ec87d4cc1cfbf0af014b783822</span><span style="font-weight: 400;">), which was sideloaded to run the SysUpdate tool in a previous Emissary Panda campaign. The code overlaps below include the same technique to find the entry point of the loading executable and decrypting the first piece of shellcode used to patch the entry point.</span></p> <p style="text-align: center;"><a href="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5.png" rel="wpdevart_lightbox"><img class="aligncenter size-full wp-image-96985 lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5.png" alt="" width="1563" height="896" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5.png 1563w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5-300x172.png 300w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5-768x440.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5-1024x587.png 1024w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5-900x516.png 900w, https://unit42.paloaltonetworks.com/wp-content/uploads/2019/05/image5-370x212.png 370w" sizes="(max-width: 1563px) 100vw, 1563px" /></a><span style="font-size: 10pt;"><i><span style="font-weight: 400;">Figure 9. Code comparison between the sideloaded </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">PYTHON33.dll </span></i></span><i><span style="font-weight: 400;">uploaded to webshell and the </span></i><span style="font-family: 'courier new', courier, monospace;"><i><span style="font-weight: 400;">inicore_v2.3.30.dll </span></i></span><i><span style="font-weight: 400;">file sideloaded in previous Emissary Panda</span></i> <i><span style="font-weight: 400;">attacks</span></i></span></p> <p><span style="font-weight: 400; font-size: 18pt;">Conclusion</span></p> <p><span style="font-weight: 400;">The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604. According to </span><a href="https://support.microsoft.com/en-us/help/4462211/description-of-the-security-update-for-sharepoint-enterprise-server"><span style="font-weight: 400;">Microsoft’s advisory</span></a><span style="font-weight: 400;">, this vulnerability was patched on March 12, 2019 and we first saw the webshell activity on April 1, 2019. This suggests that the threat group was able to quickly leverage a known vulnerability to exploit Internet facing servers to gain access to targeted networks.</span></p> <p><span style="font-weight: 400;">Once the adversary established a foothold on the targeted network, they used China Chopper and other webshells to upload additional tools to the SharePoint server to dump credentials, perform network reconnaissance and pivot to other systems. We believe the actors pivoted to other systems on the network using stolen credentials and by exploiting the CVE-2017-0144 (EternalBlue) vulnerability patched in MS17-010. We also observed the actors uploading legitimate tools that would sideload DLLs, specifically the Sublime Text plugin host and the Microsoft’s Create Media application, both of which we had never seen used for DLL sideloading before. </span></p> <p><span style="font-weight: 400;">Palo Alto Networks customers are protected by:</span></p> <ul> <li style="font-weight: 400;"><span style="font-weight: 400;">The CVE-2019-0604 vulnerability is covered by our IPS signature Microsoft Sharepoint Remote Code Execution Vulnerability (55411)</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">All illegitimate tools uploaded to the webshells are marked with malicious verdicts by WildFire and Traps.</span></li> <li style="font-weight: 400;"><span style="font-weight: 400;">AutoFocus customers can track the custom Emissary Panda payload seen uploaded to the webshell using the </span><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.HyperBro"><span style="font-weight: 400;">HyperBro</span></a><span style="font-weight: 400;"> tag, but can also track the hack tools using the following tags (note the hack tools are used by multiple actors and not just Emissary Panda):</span> <ul> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.SmbExec"><span style="font-weight: 400;">SmbExec</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.PsExec"><span style="font-weight: 400;">PsExec</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Commodity.PsExec_Python"><span style="font-weight: 400;">PsExec_Python</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Commodity.BChecker"><span style="font-weight: 400;">BChecker</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.ZZZ_Exploit"><span style="font-weight: 400;">ZZZ_Exploit</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.Termite"><span style="font-weight: 400;">Termite</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.Incognito"><span style="font-weight: 400;">Incognito</span></a></li> <li style="font-weight: 400;"><a href="https://autofocus.paloaltonetworks.com/#/tag/Unit42.PwDump"><span style="font-weight: 400;">PwDump</span></a></li> </ul> </li> </ul> <p><span style="font-size: 10pt;"><span style="font-weight: 400;">Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit</span> <a href="https://www.cyberthreatalliance.org/"><span style="font-weight: 400;">www.cyberthreatalliance.org</span></a><span style="font-weight: 400;">.</span></span></p> <p><span style="font-weight: 400; font-size: 18pt;">IOCs</span></p> <p><span style="font-weight: 400; font-size: 14pt;">Webshells SHA256</span></p> <p><span style="font-weight: 400;">006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38</span></p> <p><span style="font-weight: 400;">2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86</span></p> <p><span style="font-weight: 400;">d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe</span></p> <p><span style="font-weight: 400;">6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378</span></p> <p><span style="font-weight: 400; font-size: 14pt;">Malicious HackTools and Payloads SHA256</span></p> <p><span style="font-weight: 400;">88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd</span></p> <p><span style="font-weight: 400;">738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841</span></p> <p><span style="font-weight: 400;">3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59</span></p> <p><span style="font-weight: 400;">29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e</span></p> <p><span style="font-weight: 400;">d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333</span></p> <p><span style="font-weight: 400;">a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5</span></p> <p><span style="font-weight: 400;">090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98</span></p> <p><span style="font-weight: 400;">7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7</span></p> <p><span style="font-weight: 400;">38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c</span></p> <p><span style="font-weight: 400;">4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8</span></p> <p><span style="font-weight: 400;">b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9</span></p> <p><span style="font-weight: 400;">475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7</span></p> <p><span style="font-weight: 400;">9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b</span></p> <p><span style="font-weight: 400;">c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e</span></p> <p><span style="font-weight: 400;">a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86</span></p> <p><span style="font-weight: 400;">e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee</span></p> <p><span style="font-weight: 400;">d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333</span></p> <p><span style="font-weight: 400;">06510504f30feb1adc7e423d5a24e67e5b97acbfafe40f253a054be8b1c4e8d7</span></p> <p><span style="font-weight: 400;">b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade</span></p> <p><span style="font-weight: 400;">7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7</span></p> <p><span style="font-weight: 400;">04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462</span></p> <p><span style="font-weight: 400;">090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98</span></p> <p><span style="font-weight: 400;">38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c</span></p> <p><span style="font-weight: 400;">2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528</span></p> <p><span style="font-weight: 400; font-size: 14pt;">HyperBro C2</span></p> <p><span style="font-weight: 400;">hxxps://185.12.45[.]134:443/ajax</span></p> <p><span style="font-weight: 400;">185.12.45[.]134</span></p> </div> <!--<span class="post__date">Updated 7 June, 2024 at 8:54 AM PDT</span>--> <button class="l-btn back-to-top" id="backToTop" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:back to top">Back to top</button> <div class="be__tags-wrapper"> <h3>Tags</h3><ul role="list"><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/apt27/" role="link" title="APT27" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:APT27">APT27</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/bronze-union/" role="link" title="Bronze Union" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:Bronze Union">Bronze Union</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/china-chopper/" role="link" title="China Chopper" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:China Chopper">China Chopper</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/cve-2019-0604/" role="link" title="CVE-2019-0604" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:CVE-2019-0604">CVE-2019-0604</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/dll-sideloading/" role="link" title="DLL Sideloading" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:DLL Sideloading">DLL Sideloading</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/emissary-panda/" role="link" title="Emissary Panda" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:Emissary Panda">Emissary Panda</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/eternalblue/" role="link" title="ETERNALBLUE" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:ETERNALBLUE">ETERNALBLUE</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/hyperbro/" role="link" title="HyperBro" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:HyperBro">HyperBro</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/lucky-mouse/" role="link" title="Lucky Mouse" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:Lucky Mouse">Lucky Mouse</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/ms17-010/" role="link" title="MS17-010" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:MS17-010">MS17-010</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/tg-3390/" role="link" title="TG-3390" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:TG-3390">TG-3390</a></li><li role="listitem"><a href="https://unit42.paloaltonetworks.com/tag/webshell/" role="link" title="webshell" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:tags:webshell">Webshell</a></li></ul> </div> <div class="be__post-nav"> <a class="prev" href="https://unit42.paloaltonetworks.com" role="link" title="Threat Research" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:article-nav:Threat Research Center"> <span>Threat Research Center</span> </a> <a class="next" href="https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/" role="link" title="Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:article-nav:Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada"> <span>Next: Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada</span> </a> </div> </div> <div class="be__nav"> <div class="be__nav-wrapper"> <div class="be-related-articles"> <h3>Related Articles</h3> <ul> <li> <a href="https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:sidebar:related-articles:Chinese APT Abuses VSCode to Target Government in Asia"> Chinese APT Abuses VSCode to Target Government in Asia </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wikiloader/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:sidebar:related-articles:Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant"> Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/darkgate-malware-uses-excel-files/" role="link" title="article - table of contents" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:sidebar:related-articles:DarkGate: Dancing the Samba With Alluring Excel Files"> DarkGate: Dancing the Samba With Alluring Excel Files </a> </li> </ul> </div> </div> </div> </div> </div> <div class="pa related-threat"> <div class="l-container"> <h2>Related Resources</h2> <div class="blog-slider" id="blogSlider"> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="Close-up of a person wearing glasses, reflecting computer code on the lens." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/12_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-22T11:00:26+00:00">November 22, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples"> <h4 class="post-title">Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/remote-code-execution/" title="Remote Code Execution" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Remote Code Execution">Remote Code Execution</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/macos/" title="macOS" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:macOS">MacOS</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movement-macos/" title="Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/02_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-19T11:00:15+00:00">November 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications"> <h4 class="post-title">FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/bustleberm/" title="BUSTLEBERM" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:BUSTLEBERM">BUSTLEBERM</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/frostygoop/" title="FrostyGoop" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:FrostyGoop">FrostyGoop</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/go/" title="Go" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:Go">Go</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/" title="FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/11/05_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-11-01T22:00:12+00:00">November 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit"> <h4 class="post-title">TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/extortion/" title="Extortion" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:Extortion">Extortion</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/data-exfiltration/" title="data exfiltration" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:data exfiltration">Data exfiltration</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/" title="TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:TA Phone Home: EDR Evasion Testing Reveals Extortion Actor&#039;s Toolkit:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1-786x368.png" class="lozad" alt="A representation of a threat group like Jumpy Pisces. Illustrative image featuring two fish and the Pisces constellation superimposed on a stylized, abstract background with flowing purple waves and a starry night sky." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/Pisces-NK-A-1920x900-1.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-10-30T10:00:29+00:00">October 30, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware"> <h4 class="post-title">Jumpy Pisces Engages in Play Ransomware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/jumpy-pisces/" title="Jumpy Pisces" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware:Jumpy Pisces">Jumpy Pisces</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/fiddling-scorpius/" title="Fiddling Scorpius" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware:Fiddling Scorpius">Fiddling Scorpius</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/" title="Jumpy Pisces Engages in Play Ransomware" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Jumpy Pisces Engages in Play Ransomware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/10/03_Nation-State-cyberattacks_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-09T10:00:54+00:00">October 9, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware"> <h4 class="post-title">Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:North Korea">North Korea</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/social-engineering/" title="social engineering" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:social engineering">Social engineering</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:Python">Python</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/" title="Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" data-card-link="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-video-cta-tracking="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:card:video-modal:Read the article" data-video-title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <div class="card-media has-video" data-video="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg"> <figure> <img width="718" height="440" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg" class="lozad" alt="A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-718x440.jpg 718w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-1143x700.jpg 1143w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922-768x470.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Tutorial_Category_1505x922.jpg 1505w" sizes="(max-width: 718px) 100vw, 718px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-10-01T10:00:05+00:00">October 1, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning"> <h4 class="post-title">Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/machine-learning/" title="Machine Learning" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:Machine Learning">Machine Learning</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-tool/" title="Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/06_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-26T10:00:51+00:00">September 26, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy"> <h4 class="post-title">Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/mitre/" title="MITRE" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:MITRE">MITRE</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/keylogger/" title="Keylogger" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:Keylogger">Keylogger</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/" title="Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg" class="lozad" alt="Pictorial representation of SnipBot. Digital abstract background featuring binary code and technology symbols with a blue glow in the shape of a skull." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/01_Malware_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-23T21:00:55+00:00">September 23, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Inside SnipBot: The Latest RomCom Malware Variant"> <h4 class="post-title">Inside SnipBot: The Latest RomCom Malware Variant</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/backdoor/" title="backdoor" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:backdoor">Backdoor</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/romcom/" title="RomCom" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:RomCom">RomCom</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/" title="Inside SnipBot: The Latest RomCom Malware Variant" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Inside SnipBot: The Latest RomCom Malware Variant:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg" class="lozad" alt="A pictorial representation of a red team tool like Splinter. A digital illustration showing a 3D brain model surrounded by rising data columns on a circuit board, representing advanced artificial intelligence technology." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-786x368.jpg 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1493x700.jpg 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-768x360.jpg 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900-1536x720.jpg 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/09/08_Security-Technology_Category_1920x900.jpg 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-research/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:Threat Research"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/icon-threat-research.svg" alt=" category icon">Threat Research</span></a> <span class="post-pub-date"><time datetime="2024-09-19T10:00:43+00:00">September 19, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool"> <h4 class="post-title">Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/red-teaming-tool/" title="red teaming tool" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:red teaming tool">Red teaming tool</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/pentest-tool/" title="pentest tool" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:pentest tool">Pentest tool</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/" title="Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> <div class="pa l-card l-card--slider" > <div class="card-media " > <figure> <img width="786" height="368" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png" class="lozad" alt="Pictorial representation of APT groups from North Korea. The silhouette of two fish and the Pisces constellation inside an orange abstract planet, surrounded by two larger blue fish. Abstract, stylized cosmic setting with vibrant blue and purple shapes, representing space and distant planetary bodies." decoding="async" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-786x368.png 786w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1493x700.png 1493w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-768x360.png 768w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16-1536x720.png 1536w, https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/word-image-449925-135181-16.png 1920w" sizes="(max-width: 786px) 100vw, 786px" /> </figure> </div> <div class="card-content"> <div class="card-content__wrapper"> <a class="card-category" href="https://unit42.paloaltonetworks.com/category/threat-actor-groups/" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Threat Actor Groups"><span class=""><img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/07/threat-actor-groups.svg" alt=" category icon">Threat Actor Groups</span></a> <span class="post-pub-date"><time datetime="2024-09-18T21:00:59+00:00">September 18, 2024</time></span> <a href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors"> <h4 class="post-title">Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors</h4> </a> <ul class="card-tags" role="list"> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/python/" title="Python" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Python">Python</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/cryptocurrency/" title="Cryptocurrency" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:Cryptocurrency">Cryptocurrency</a> </li> <li role="listitem"> <a href="https://unit42.paloaltonetworks.com/tag/north-korea/" title="North Korea" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:North Korea">North Korea</a> </li></ul> </div> <div class="card-content__link"> <a class="hyperlink" href="https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" title="Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors" role="link" data-page-track="true" data-page-track-value="emissary-panda-attacks-middle-east-government-sharepoint-servers:related-resources:Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors:read now"> Read now <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-right-arrow-withtail.svg" alt="Right arrow"> </a> </div> </div> </div> </div> </div> <div class="l-container bs__controls"> <div class="bs__progress"><span></span></div> <div class="bs__navigation"> <ul> <li> <button id="prevButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> <li> <button id="nextButton"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/slider-arrow-left.svg" alt="Slider arrow"></button> </li> </ul> </div> </div> </div> <div class="be-enlarge-modal" id="enlargedModal"> <div class="be-enlarge-modal__wrapper"> <figure> <button class="close__modal" id="closeModal"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"></button> <img class="be__enlarged-image" id="enlargedImage" src="" alt="Enlarged Image"> <figcaption> </figcaption> </figure> </div> </div> </div> </section> </main> <!-- Start: Footer subscription form --> <div class="newsletter"> <div class="l-container"> <div class="newsletter__wrapper"> <div class="image__wrapper"> <picture> <source class="lozad" media="(max-width:400px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-mobile.webp"> <source class="lozad" media="(max-width:949px)" data-srcset="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/newsletter-Image-tab.webp"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/Revitalized_newsletter-Image-desktop-copy-1.webp" alt="Newsletter"> </picture> </div> <div class="content__wrapper"> <span class="pre-title"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/palo-alto-logo-small.svg" alt="UNIT 42 Small Logo"> Get updates from Unit 42 </span> <h2>Peace of mind comes from staying ahead of threats. Contact us today.</h2> <form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form"> <input type="hidden" name="emailFormMask" value=""> <input type="hidden" value="1086" name="formid"> <input type="hidden" value="531-OCS-018" name="munchkinId"> <input type="hidden" value="2141" name="lpId"> <input type="hidden" value="1203" name="programId"> <input type="hidden" value="1086" name="formVid"> <input type="hidden" name="mkto_optinunit42" value="true"> <input type="hidden" name="mkto_opt-in" value="true"> <div class="form-group"> <label for="newsletter-email" id="newsletter-email-label">Your Email</label> <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label"> <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p> <p>Subscribe for email updates to all Unit 42 threat research.<br />By submitting this form, you agree to our <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p> <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div> <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p> <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow" class="arrow"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader"> </button> <div class="form-success-message"></div> </div> </form> </div> </div> </div> </div> <script> (function($) { // Migrated from the unit42-v5 + Modifications var subscribeSuccess = false; var email = document.getElementById('newsletter-email'); var subscription_form = document.getElementById('unit42footerSubscription_form'); var subscription_form_button = document.getElementById('unit42footerSubscription_form_button'); window.captchaComplete = function() { subscribeSuccess = true; if ($(mail).val() != '' && isEmail($(mail).val())) { $(subscription_form_button).removeClass('is-disabled'); } setTimeout(function() { $(email).focus(); $('.g-recaptcha iframe').attr('tabindex', '-1'); }, 100) } window.captchaExpires = function() { subscribeSuccess = false; $(subscription_form_button).addClass('is-disabled', true); } $(subscription_form).submit(function(e) { e.preventDefault(); e.stopImmediatePropagation(); updateEmailMask(); var success = true; var form = $(this); var mail = form.find('input[name="Email"]'); if (mail.val() === '') { mail.addClass('has-error'); showError(1); success = false; } else if (!isEmail(mail.val())){ showError(2); success = false; } else { mail.removeClass('has-error'); $('.error-mail').addClass('d-none'); } if (!subscribeSuccess) { $('.error-recaptcha').removeClass('d-none'); } else { $('.error-recaptcha').addClass('d-none'); } if (success && subscribeSuccess) { $.ajax({ type: 'POST', url: form.attr('action'), data: form.serialize(), beforeSend: function() { form.find('button').addClass('is-loading'); }, success: function(msg) { form.find('.form-success-message').html('<p class="success-message">You have been successfully subscribed</p>'); form.find('button').removeClass('is-loading'); $(email).val(''); clearError(); }, error: function(jqXHR, textStatus, errorThrown) { $(subscription_form_button).addClass('is-disabled', true); form.find('button').removeClass('is-loading'); } }); } return false; }); function showError(error_type){ if(error_type == 1) { $('.error-mail').text("Please enter the email address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } else if(error_type == 2){ $('.error-mail').text("Please provide a valid e-mail address.").addClass('error-show'); $(subscription_form_button).addClass('is-disabled'); } $(subscription_form_button).removeClass('is-loading'); } function clearError(){ $('.error-mail').text("").removeClass('error-show');; $(subscription_form_button).removeClass('is-loading'); $(subscription_form_button).removeClass('is-disabled'); } $(email).on('input', function (event) { var email = $(this).val(); if (isEmail(email) ) { clearError(); } else if(email == ""){ clearError(); } else{ showError(2); } }); function isEmail(email) { var re = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/; return re.test(String(email).toLowerCase()); } var captcha_loaded = false; if(!captcha_loaded){ // recaptcha on foucs call $(document).on('change paste keyup', '#newsletter-email', function () { if($('.g-recaptcha').hasClass('d-none')){ $('.g-recaptcha').removeClass('d-none'); } if(!captcha_loaded ){ captcha_loaded = true; // trigger loading api.js (recaptcha.js) script var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.src = 'https://www.google.com/recaptcha/api.js?hl=en_US'; head.appendChild(script); } }); } function updateEmailMask() { var email = $("#unit42footerSubscription_form input[name='Email']").val(); if (email && email.trim() != '') { var maskedEmail = maskEmailAddress(email); $("#unit42footerSubscription_form input[name='emailFormMask']").val(maskedEmail); } } function maskEmailAddress (emailAddress) { function mask(str) { var strLen = str.length; if (strLen > 4) { return str.substr(0, 1) + str.substr(1, strLen - 1).replace(/\w/g, '*') + str.substr(-1,1); } return str.replace(/\w/g, '*'); } return emailAddress.replace(/([\w.]+)@([\w.]+)(\.[\w.]+)/g, function (m, p1, p2, p3) { return mask(p1) + '@' + mask(p2) + p3; }); return emailAddress; } }(jQuery)); //# sourceMappingURL=main.js.map </script> <!-- End: Footer subscription form --> <footer class="footer"> <div class="footer-menu"> <div class="l-container"> <div class="footer-menu__wrapper"> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Products and services</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security" role="link" title="Network Security Platform" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform">Network Security Platform</a> </li> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/security-subscriptions" role="link" title="CLOUD DELIVERED SECURITY SERVICES" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES">CLOUD DELIVERED SECURITY SERVICES</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-threat-prevention" target=_blank role="link" title="Advanced Threat Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention">Advanced Threat Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/advanced-dns-security" role="link" title="DNS Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security">DNS Security</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-data-loss-prevention" role="link" title="Data Loss Prevention" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention">Data Loss Prevention</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/enterprise-iot-security" role="link" title="IoT Security" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security">IoT Security</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall" role="link" title="Next-Generation Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls">Next-Generation Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/next-generation-firewall-hardware" role="link" title="Hardware Firewalls" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls">Hardware Firewalls</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/network-security/strata-cloud-manager" role="link" title="Strata Cloud Manager" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager">Strata Cloud Manager</a> </li> </ul> </nav> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/sase" role="link" title="SECURE ACCESS SERVICE EDGE" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE">SECURE ACCESS SERVICE EDGE</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/access" role="link" title="Prisma Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access">Prisma Access</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/sd-wan" role="link" title="Prisma SD-WAN" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN">Prisma SD-WAN</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/adem" role="link" title="Autonomous Digital Experience Management" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management">Autonomous Digital Experience Management</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/next-gen-casb" role="link" title="Cloud Access Security Broker" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker">Cloud Access Security Broker</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sase/ztna" role="link" title="Zero Trust Network Access" data-page-track="true" data-page-track-value="footer:Products and services:Network Security Platform:CLOUD DELIVERED SECURITY SERVICES:Advanced Threat Prevention:DNS Security:Data Loss Prevention:IoT Security:Next-Generation Firewalls:Hardware Firewalls:Strata Cloud Manager:SECURE ACCESS SERVICE EDGE:Prisma Access:Prisma SD-WAN:Autonomous Digital Experience Management:Cloud Access Security Broker:Zero Trust Network Access">Zero Trust Network Access</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/prisma/whyprisma" role="link" title="Code to Cloud Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform">Code to Cloud Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/prisma/cloud" role="link" title="Prisma Cloud" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud">Prisma Cloud</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/content/pan/en_US/prisma/cloud/cloud-native-application-protection-platform" role="link" title="Cloud-Native Application Protection Platform" data-page-track="true" data-page-track-value="footer:Products and services:Code to Cloud Platform:Prisma Cloud:Cloud-Native Application Protection Platform">Cloud-Native Application Protection Platform</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/cortex" target=_blank role="link" title="AI-Driven Security Operations Platform" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform">AI-Driven Security Operations Platform</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xdr" role="link" title="Cortex XDR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR">Cortex XDR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsoar" role="link" title="Cortex XSOAR" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR">Cortex XSOAR</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse" role="link" title="Cortex Xpanse" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse">Cortex Xpanse</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xsiam" role="link" title="Cortex XSIAM" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM">Cortex XSIAM</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management" role="link" title="External Attack Surface Protection" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection">External Attack Surface Protection</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/security-operations-automation" role="link" title="Security Automation" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation">Security Automation</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cortex/detection-and-response" role="link" title="Threat Prevention, Detection &amp; Response" data-page-track="true" data-page-track-value="footer:Products and services:AI-Driven Security Operations Platform:Cortex XDR:Cortex XSOAR:Cortex Xpanse:Cortex XSIAM:External Attack Surface Protection:Security Automation:Threat Prevention, Detection &amp; Response">Threat Prevention, Detection &amp; Response</a> </li> </ul> </nav> </div> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item nav-title"> <a href="https://www.paloaltonetworks.com/unit42" role="link" title="Threat Intel and Incident Response Services" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services">Threat Intel and Incident Response Services</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/assess" role="link" title="Proactive Assessments" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments">Proactive Assessments</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/respond" role="link" title="Incident Response" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response">Incident Response</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/transform" role="link" title="Transform Your Security Strategy" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy">Transform Your Security Strategy</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/unit42/threat-intelligence-partners" role="link" title="Discover Threat Intelligence" data-page-track="true" data-page-track-value="footer:Products and services:Threat Intel and Incident Response Services:Proactive Assessments:Incident Response:Transform Your Security Strategy:Discover Threat Intelligence">Discover Threat Intelligence</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Company</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us" role="link" title="About Us" data-page-track="true" data-page-track-value="footer:Company:About Us">About Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://jobs.paloaltonetworks.com/en/" role="link" title="Careers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers">Careers</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/contact-sales" role="link" title="Contact Us" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us">Contact Us</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/corporate-responsibility" role="link" title="Corporate Responsibility" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility">Corporate Responsibility</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/customers" role="link" title="Customers" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers">Customers</a> </li> <li class="footer-menu-nav__item "> <a href="https://investors.paloaltonetworks.com/" target=_blank role="link" title="Investor Relations" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations">Investor Relations</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/about-us/locations" role="link" title="Location" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location">Location</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/company/newsroom" role="link" title="Newsroom" data-page-track="true" data-page-track-value="footer:Company:About Us:Careers:Contact Us:Corporate Responsibility:Customers:Investor Relations:Location:Newsroom">Newsroom</a> </li> </ul> </nav> </div> </div> </div> <div class="footer-menu-nav__wrapper"> <h3 class="footer-menu-nav__title">Popular links</h3> <div class="nav-column__wrapper"> <div class="nav-column"> <nav> <ul class="footer-menu-nav__list"> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/blog/" role="link" title="Blog" data-page-track="true" data-page-track-value="footer:Popular links:Blog">Blog</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/communities" role="link" title="Communities" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities">Communities</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/resources" role="link" title="Content Library" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library">Content Library</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/cyberpedia" role="link" title="Cyberpedia" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia">Cyberpedia</a> </li> <li class="footer-menu-nav__item "> <a href="https://events.paloaltonetworks.com/" role="link" title="Event Center" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center">Event Center</a> </li> <li class="footer-menu-nav__item "> <a href="https://start.paloaltonetworks.com/preference-center" role="link" title="Manage Email Preferences" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences">Manage Email Preferences</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/products/products-a-z" role="link" title="Products A-Z" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z">Products A-Z</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center/tech-certs" role="link" title="Product Certifications" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications">Product Certifications</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/security-disclosure" role="link" title="Report a Vulnerability" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability">Report a Vulnerability</a> </li> <li class="footer-menu-nav__item "> <a href="https://www.paloaltonetworks.com/sitemap" role="link" title="Sitemap" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap">Sitemap</a> </li> <li class="footer-menu-nav__item "> <a href="https://docs.paloaltonetworks.com/" role="link" title="Tech Docs" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs">Tech Docs</a> </li> <li class="footer-menu-nav__item "> <a href="https://unit42.paloaltonetworks.com/" role="link" title="Unit 42" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42">Unit 42</a> </li> <li class="footer-menu-nav__item "> <a href="https://panwedd.exterro.net/portal/dsar.htm?target=panwedd" target=_blank role="link" title="Do Not Sell or Share My Personal Information" data-page-track="true" data-page-track-value="footer:Popular links:Blog:Communities:Content Library:Cyberpedia:Event Center:Manage Email Preferences:Products A-Z:Product Certifications:Report a Vulnerability:Sitemap:Tech Docs:Unit 42:Do Not Sell or Share My Personal Information">Do Not Sell or Share My Personal Information</a> </li> </ul> </nav> </div> </div> </div> </div> </div> </div> <div class="footer-bottom"> <div class="l-container"> <div class="footer-logo"> <a href="https://www.paloaltonetworks.com/" role="link" title="Footer Nav" data-page-track="true" data-page-track-value="footer:logo:Palo Alto Networks"> <img width="245" height="46" src="https://unit42.paloaltonetworks.com/wp-content/uploads/2024/06/palo-alto-footer-logo.svg" class="attachment-medium size-medium" alt="" decoding="async" loading="lazy" /> </a> </div> <div class="footer-bottom__wrapper"> <div class="footer-bottom-nav"> <nav> <ul class="footer-menu-nav__list"> <li> <a href="https://www.paloaltonetworks.com/legal-notices/privacy" role="link" title="Privacy" data-page-track="true" data-page-track-value="footer:bottom-menu:Privacy">Privacy</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/trust-center" role="link" title="Trust Center" data-page-track="true" data-page-track-value="footer:bottom-menu:Trust Center">Trust Center</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" role="link" title="Terms of Use" data-page-track="true" data-page-track-value="footer:bottom-menu:Terms of Use">Terms of Use</a> </li> <li> <a href="https://www.paloaltonetworks.com/legal" role="link" title="Documents" data-page-track="true" data-page-track-value="footer:bottom-menu:Documents">Documents</a> </li> </ul> </nav> <br/><span class="copyright">Copyright © 2024 Palo Alto Networks. All Rights Reserved</span> </div> <div class="footer-bottom-social"> <ul> <li> <a href="https://www.youtube.com/user/paloaltonetworks" target="_blank" role="link" title="YouTube" data-page-track="true" data-page-track-value="footer:social:Youtube"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/youtube-black.svg" alt="YouTube"> </a> </li> <li> <a href="https://twitter.com/Unit42_Intel" target="_blank" role="link" title="X" data-page-track="true" data-page-track-value="footer:social::Twitter"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/x-icon-black.svg" alt="Twitter"> </a> </li> <li> <a href="https://www.facebook.com/PaloAltoNetworks/" target="_blank" role="link" title="Facebook" data-page-track="true" data-page-track-value="footer:social:Facebook"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/Facebook_Icon.svg" alt="Facebook"> </a> </li> <li> <a href="https://www.linkedin.com/company/palo-alto-networks" target="_blank" role="link" title="LinkedIn" data-page-track="true" data-page-track-value="footer:social:LinkedIn"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/LinkedIn_Icon.svg" alt="LinkedIn"> </a> </li> <li> <a href="https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/" role="link" title="Podcast" data-page-track="true" data-page-track-value="footer:social:Podcast"> <img class="lozad" data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/Podcast.svg" alt="Podcast"> </a> </li> </ul> <div class="pa language-dropdown"> <div class="language-dropdown__wrapper"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/globe-icon.svg" alt="Globe icon"> <span id="selectedLanguage">EN</span> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/down-arrow.svg" alt="Down arrow"><ul><li class="title">Select your language</li> <li class="selected" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:en" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/">USA (ENGLISH)</a> </li> <li class="non-active" data-value="en"> <a data-page-track="true" data-page-track-value="footer:language-selector:ja" href="https://unit42.paloaltonetworks.jp/emissary-panda-attacks-middle-east-government-sharepoint-servers/">JAPAN (日本語)</a> </li></ul> </div> </div> </div> </div> </footer> <div class="dd-overlay"> </div> <!-- Start: video modal --> <div class="modal video__modal" id="videoModal" tabindex="-1"> <div class="modal__video-wrapper"> <button class="modal__play-btn is-minimized is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <button class="modal__minimize-btn is-minimized"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> <button class="modal__close"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/close-modal.svg" alt="Close button"> </button> <video class="modal__video" id="customVideo"> <source src="" type="video/mp4">Your browser does not support the video tag. </video> <div class="modal__post-details" tabindex="-1"> <h3>Default Heading</h3> <a class="l-btn" href="#" title="Right Arrow Icon" role="link" data-page-track="true" data-page-track-value="overview:explore reports:View all reports">Read the article <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow"> </a> </div> <div class="modal__video-controls"> <div class="modal__video-seekbar input__wrapper"><span></span> <label class="is-hidden" for="modalSeekBar">Seekbar</label> <input class="custom-range" id="modalSeekBar" type="range" min="0" max="100" value="1"> <p class="modal__remaining-time"></p> </div> <button class="modal__play-btn is-paused" id="playPauseBtn"> <img class="play" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-play-icon.svg" alt="Play"> <img class="pause" src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/player-pause-icon1.svg" alt="Pause"> </button> <div class="modal__volume-controls"> <div class="modal__volume__wrapper"> <button tabindex="0"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-volume.svg" alt="Volume"> </button> <div class="modal__volume-seekbar"><span></span> <label class="is-hidden" for="volumeBar">Volume</label> <input class="volume__bar" id="volumeBar" type="range" min="0" max="1" step="0.1" value="0.7"> </div> </div> <button class="modal__minimize-btn" id="minimizeBtn"> <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-minimize.svg" alt="Minimize"> </button> </div> </div> </div> </div><!-- End: video modal --> <script type="text/javascript"> var isProcessing = false; function alter_ul_post_values(obj,post_id,ul_type){ if (isProcessing) return; isProcessing = true; var like_nonce = jQuery('#_wpnonce').val(); jQuery(obj).find("span").html(".."); jQuery.ajax({ type: "POST", url: "https://unit42.paloaltonetworks.com/wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php", data: "post_id="+post_id+"&up_type="+ul_type+"&ul_nonce="+like_nonce, success: function(msg){ jQuery(obj).find("span").html(msg); isProcessing = false; jQuery(obj).find('svg').children('path').attr('stroke','#0050FF'); jQuery(obj).removeClass('idc_ul_cont_not_liked idc_ul_cont_not_liked_inner'); } }); } </script> <link rel='stylesheet' id='wpdevart_lightbox_front_end_css-css' href='https://unit42.paloaltonetworks.com/wp-content/plugins/lightbox-popup/includes/style/wpdevart_lightbox_front.css?ver=6.6.2' media='all' /> <script src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/js/script.js?ver=1.0.0" id="unit42-v6-navigation-js"></script> <!-- Start: Scripts Migrated From Unit42-v5 --> <script type="text/javascript"> const observer_lozad = lozad('.lozad, .lozad-background'); // lazy loads elements with default selector as '.lozad' observer_lozad.observe(); window.PAN_Clean_Util = { isIE: false }; (function () { // INP Util Fix function yieldToMain(ms) { return new Promise(resolve => setTimeout(resolve, ms)); } window.PAN_Clean_Util.yieldToMain = yieldToMain })(); if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ var Coveo_organizationId = "paloaltonetworksintranet"; var techDocsPagePath = "https://docs.paloaltonetworks.com/search.html#hd=All%20Prisma%20Cloud%20Documentation&hq=%40panproductcategory%3D%3D(%22Prisma%20Cloud%22)&sort=relevancy&layout=card&numberOfResults=25"; var languageFromPath="en_US"; window.Granite = window.Granite || {}; Granite.I18n = (function() { var self = {}; self.setLocale = function(locale) { }; self.get = function(text, snippets, note) { var out = ""; if(text){ if(text ==="coveo.clear"){ out = "Clear"; }else if(text ==="coveo.noresultsfound"){ out = "No results found for this search term."; } } return out; }; return self }()); } var main_site_critical_top = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTop.min.js'; var main_site_defered = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/defered.min.js'; var main_site_criticalTopBase = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopBase.min.js'; var main_site_criticalTopProductNav = maindomain_lang+'/etc.clientlibs/panClean/components/mainNavigationComp/clientlibs/panClean/criticalTopProductNav.min.js'; window.PAN_MainNavAsyncUrl = maindomain_lang+"/_jcr_content/globals/cleanHeaderPrisma.prismaRenderer.html"; function loadScript(url, defer){ var script1 = document.createElement('script'); script1.setAttribute('type', 'text/javascript'); script1.setAttribute('src',url); if(defer == true){ script1.setAttribute('defer','defer'); } document.head.appendChild(script1); } function loadScript1(url, callback){ var script = document.createElement("script") script.type = "text/javascript"; if (script.readyState){ //IE script.onreadystatechange = function(){ if (script.readyState == "loaded" || script.readyState == "complete"){ script.onreadystatechange = null; callback(); } }; } else { //Others script.onload = function(){ callback(); }; } script.src = url; document.getElementsByTagName("head")[0].appendChild(script); } if(referer == "Prisma" || referer == "Cortex" || referer == "Sase" || referer == "Unit" || referer == "Ngfw"){ if(referer == "Unit"){ setTimeout(function(){ loadScript(main_site_criticalTopBase, false); loadScript1(main_site_criticalTopProductNav, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } else{ setTimeout(function(){ loadScript1(main_site_critical_top, function(){ window.PAN_initializeProduct2021Nav(); }); loadScript(main_site_defered, false); }, 3000); } } $(document).ready(function () { setTimeout(function(){ $('.article-banner .ab__options ul li a').each(function(){ $(this).attr('target', "_blank"); }); }, 4000); }); </script> <!-- End: Scripts Migrated From Unit42-v5 --> </body> </html>