Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150814-256-CSIR-15005-Stalker Panda
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 2 14 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
(S//NF) The XUni RAT is closely related to Blogspot. Earlier versions of XUni have been seen
since around 2010, but an updated version has been observed in operation in early 2014. The
report authors speculate that the 2014 version of XUni is meant to replace Blogspot. XUni uses
the same C2 protocol as the other RATS used by Stalker Panda (multi-stage C2 architecture).
One interesting aspect of Xuni’s first-stage social media site interaction is it automatically leaves
comments on the site to mimic benign user activity. Like the other RATs, XUni is a simplistic
RAT in terms of functionality and is used primarily to download additional capabilities once on
target. XUni achieves persistence by placing a shortcut in the victim’s startup folder.
(S//NF) While an interesting report on Stalker Panda’s activities, there is nothing unique or
interesting in how it implements its functionality. Their RAT multi-stage C2 infrastructure is
interesting but more a notable overall architectural item but not something we can make a PoC
recommendation on. There are no PoC recommendation from this report.
2.0 (U) Description of the Technique
(S//NF) Not applicable since there are no PoC recommendations from this report.
3.0 (U) Identification of Affected Applications
(U) Windows.
4.0 (U) Related Techniques
(S//NF) Generic RATs and distributed C2 communications.
5.0 (U) Configurable Parameters
(S//NF) Varied depending on the multi-stage C2 configuration.
6.0 (U) Exploitation Method and Vectors
(S//NF) The exploitation methods discussed in this report are CVE-2011-0611 (Adobe Flash,
Reader, and Acrobat vulnerability) and CVE-2014-6332 (Windows OLE vulnerability). The
attack vector discussed is spear phishing email campaigns and social engineering.
7.0 (U) Caveats
(U) None.
8.0 (U) Risks
(S//NF) Not applicable as no PoCs are recommended.
9.0 (U) Recommendations
(S//NF) No PoCs are recommended.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh