"1.php" Group Intrusion Set Paper
Update: report links now go straight to the paper versus the general Whitepaper page.
ThreatLabZ has just released a report that provides a summary of incident information related to the "1.php" Group. Historically, this Group used command and control servers (C&Cs) with "/1.php?" for the checkin URL path - which is the reason for the informal name used. They have repeatedly targeted one of our customers - so I worked to compile some research on this group. There is evidence to show that the group has been operating at least since 2008 and that they tend to target China/US relations experts, Defense entities, and Geospatial entities using spear phishing with a malicious PDF attachment or a link to a ZIP that decompresses a malicious SCR. The payload is often a PoisonIvy remote access tool/trojan (RAT) or something similar. They have varied their C&C checkin behavior, but it is usually over the web - sometimes it is HTTPS, sometimes it is HTTP with different checkin parameters/paths. The Group either registers their own domains or uses No-IP dynamic DNS domains for their C&Cs.
For further details on the "1.php" Group research, please register and view the report HERE.
One challenge with doing this research is who/how to share the information. Responsible disclosure is pretty well defined at this point for vulnerability information, but it is not in terms of incident response information (particularly when the "APT" term is used).
This report provides high-level indicators of compromise (such as general network behavior and malicious domains) without the release of specifics, such as victim information. The purpose is to establish a community of awareness so that organizations can better detect and protect against these and similar threats. Additional specifics of the attacks were limited to stakeholders (victims and those chartered with protecting them).
If you have additional details on this Group or would like to exchange information with Zscaler - please contact us at our threatlabz email address.