Skip to content

Latest commit

 

History

History
251 lines (225 loc) · 11 KB

README.md

File metadata and controls

251 lines (225 loc) · 11 KB

Cryptic Silverfish

Cryptic Silverfish is a cyber-espionage group identified in 2021, suspected to be associated with the SolarWinds supply chain attack. The group has targeted thousands of entities, including government agencies, large corporations, and critical infrastructure, predominantly in the U.S. and Europe.

  • The full report is available here

Cryptic Silverfish Indicators of Compromise (IOC)

C&C Servers

Cryptic Silverfish C&C Servers
146.0.32.16
178.249.69.35
130.0.235.92

File Hashes

SHA256
3cae987fd99950a299b690a1e03a09a15adc9eb556f7f2901afd3bc06719f4db
e6ff50bdcc7b57fbc52ab203470fa388487bf92412c59b2678d57dde701ba985
c418acbe45ccaa7e66eb9db8fd595a89c8215c9ac5e2d151dd3389641e81b50a
67ff5c5fd19b23fb92cb0a395c9e12729c3a31ae21b44bfccde671f84e18f9c5
c418acbe45ccaa7e66eb9db8fd595a89c8215c9ac5e2d151dd3389641e81b50a
dbe2d877924c7b650d380d86cb46bf5d91a44ba03f30f6eee93c621c23a852f9
3aff515be9c17e3e6a46e891e10a2e807e9595111049b1d7c229e1f920b680c0
0afcd12924eed83f0e3f33c51a0766849df661ea2220b4a919297b0ef742b7c3
d5c4d94bb747555921469eff6a3660456d0c048c735de4bb9099c303d713e73e
61d50f4a45cde3234e612016fb6816b47ebf4b6644b759365ffd53eb6bb1e5e7
4d4f0eb982a52768e1195e4632a0de4f2671c99cd2ce2acbca6442de5f25251e
24d1bd110c0bf7f21f75c9e99ddbb29bd0cfebf5577b4202d35e4ffe36477de6
7cfb684fb46e9b66881d213fa212a39b770a7820c627c7ce2073d397dead9430
59a779046e32940c08f4c723143134a1b14d6855de3482e8503fca47aea9413e
65226d59bb790120af2ad70d48736a8a223f6122d6ee5dd6b48bd5c47ff94b0b
5ed2e0bf353cfee15e50f2e4188fed20c79cf2c6dc517c34069570ddca9c92f9
0afcd12924eed83f0e3f33c51a0766849df661ea2220b4a919297b0ef742b7c3
0b9bd44e46e3b8e6be33bf3e63b72d29b62da482c70445c386eb9c19fa72113e
157e3ed3e1bf53218aee58e90cd255976878a8a4e0a07024be403de8fe33a19f
21633bb2e378d40e3e13b88bf3a7fd397ad1229eab9730cf93fc2cc260fbdd4f
2a0a081364cbb724e26a267d68d1e17754445e55d0e4a1538255d940fe9fdc26
2abe266813c2d4a31d13d88359a3a84f095dec6f4d286226f061407cbc8f113f
2bf45c8804589c5ebdbf109b2fad4bf6e8b22267dc98e711a3801c96dede5e1d
306e0bae9f6ce0f9f8108b4de7e3649f9016e15b0b235d6ebc41be98eea6e6c7
3aff515be9c17e3e6a46e891e10a2e807e9595111049b1d7c229e1f920b680c0
40359b79ef78990662fbd0b551efb5f35f0af5589d44d7cc1e5b81202a637207
46cef4fe1efe7856e65c12ef76e7e5674aa4d84872cd348cbf82839a343e55d5
4d4f0eb982a52768e1195e4632a0de4f2671c99cd2ce2acbca6442de5f25251e
59a779046e32940c08f4c723143134a1b14d6855de3482e8503fca47aea9413e
61d50f4a45cde3234e612016fb6816b47ebf4b6644b759365ffd53eb6bb1e5e7
65226d59bb790120af2ad70d48736a8a223f6122d6ee5dd6b48bd5c47ff94b0b
660c2fc6c6f95779043db9589699d88312e1b07bc8cd7c4eecfa2577836bf39a
67ff5c5fd19b23fb92cb0a395c9e12729c3a31ae21b44bfccde671f84e18f9c5
6ce2b5d99fd5802fc4548baf08650621b4916e311786f9917bb6323a76f9bb61
712fb79d19d8e77a9f0b3f7d469a7277315838e242c821ee361ca70e1099d932
71823abea0d3565be4d7a68e79ce2e73667aeb92c9c89ff24fccb2aa2faaa688
7412c47f2db8f52182d8311dbc3539d2af5305c87f052a8d70eb6fd351723476
80cdb94a3206422f109b5a49dfa96cd633588c16f2131d0f96afd0dae948530e
8cf59ec30adc6bc5440e321394cfd9d1eea6e70d9ee9d2ba46444c60a9cad75a
90a47ad1b9d23df08a9b57c78961834ef36109b479e89395ae4179bd1b43b63a
aa32d07f3632bba2a0f1be8588e11b000acb70bfc5b6cc2b84b2c8061825832c
abe0644acff029cdf09d050eec96c4297f264960e33e9b22e70b6b6eaf9c4455
ae1cbeb25f83ecb39372f83e9c0ca36364e1cd0207f07afb4cd240b4b1b96842
b028ec8219f2d7769477840df2e2ddf5190fb0698b3e5a3fb7c309ff28bc6f25
c3fc9b2ec55cb252fa3c51278be8b3874abc429908dd365b530e27f07532ed7c
c418acbe45ccaa7e66eb9db8fd595a89c8215c9ac5e2d151dd3389641e81b50a
c4a2e1c42713bb963f4c8e2bdc306f44526b25d8e509cd7ed35990050e03799d
c91c986045a3eacafa19403f8fd3443bb73aa72d39f381276bb5e61b53788c92
c9fa7c1f7c8d4d608f7c3d5bd9779582daba8f2345cfa271b7be52d311954c5f
d2d90f2224ffc38bb1ac4e7baa3bab86ca150ca9984a85e46a468b315a572df0
d5c4d94bb747555921469eff6a3660456d0c048c735de4bb9099c303d713e73e
dbe2d877924c7b650d380d86cb46bf5d91a44ba03f30f6eee93c621c23a852f9
dddabbae63638cc2c1f936c77d915c2da579fab119aab15d8c3db1718c31f00b
e3b3348594ed07e702ea76ee09f50f494eeac27d408da76ebf9726f371f12cc0
e54699430500c48506ccfde4a56716b1b6117894ca75861e1b588ca498be98c2
efa76355b68846da17a05e09d1e7f71d2c75a54282c812f479a2f0c4bbfcc335
f9d8e5f67a7479ac7dcc2146e6cd46d78b685adda87cbbd4fe0bd6df26605ee3
fc334e027308747341483efc12e3abe373a64655dfe9bb9c14f46d50a4f19332
fc5d0e45df5a0aae4b632d93c76be9a233629cfaaa7ecb02aa09a6c8d1750806
911e2127385b616947ad48107c6d5515317c19ad2ecfa035301240ad01de4702
f278f3ff49f4833aaf4bbb3cb18aa8b26c0095477a9138fabef454296598bc1b
3887945c0f9c9161185089eacb9002294679ee4f704568daf62c68170435f304
804bf393e51598d450b15c61e7f4ea6966a3c8447fbeef1293ca9e9c5859b022
d3a200078787b2ee51d1b7a0dafe38262c52a5a0da7323f3dcbea8b7cbce1e61
8b08b63a324de2b2baf38edef640aec0d5979a6a130acec266f54c4daef7eb7a
b924768319a06a71d6d1517cb7d6410e2186ac2d0d8b7695ba61f074b4bdd780
0225485e71c069cb6d63f15c37128cfd0a3d1fb789c0a1f20226d41355e85c11
f27a41a207a371411fac84e7d704669775807f8375eb72c8b641f8f5e69c1452
9e44631b21f970318c69676041f28a82d7643edaa58d132ff79f74281db2678a
a87f3a19dd945d99e82ea691641f7e76511cfb8fb37741445e31661573b5150d

C&C Servers Proxies

Cryptic Silverfish C&C Servers Proxies
130.0.232.194
130.0.233.178
130.0.233.91
130.0.234.134
130.0.235.213
130.0.235.92
130.0.236.147
130.0.237.176
130.0.238.192
130.0.239.178
141.255.161.180
185.122.57.238
188.120.239.154
37.48.84.156
79.110.52.138
81.4.122.101
40ort.750.credit
adagio.betterworldshopping.com
admirer.onehourcfo.com
backup.awarfaregaming.com
bmlor.750.credit
builder.visionarybusiness.net
combat.strategyforgood.com
context.septemberyears.org
daddy.stlouisdemoday.com
defender5.coachwithak.com
fanta.swofficefurniture.com
freespace.givingprofits.net
gallery.wineadam.com
group3.pulsedesigngroup.us
inferno.bigpurposebigimpact.com
inspirer.cartsandmowers.com
joke.webproduct.info
joomla.lifepath.site
lion.vipjoyeria.com
method.nonprofitsustainability.com
phpmyadmin.xsunx.com
pixelapn2.adsprofitnetwork.com
pixelapn.adsprofitnetwork.com
plkiu.daniyalmedicaltech.com
printing.laminatesandthings.com
promo9.promossupply.com
prompt.powerofpartnerships.net
q.promossupply.com
rock.core-thought.com
snuff.mybabyrose.com
standart.sdtranspo.com
time.suehyatt.com
zombie.susan-hyatt.com

TDS IP/Domains

Traffic Distribution System(TDS) IP/Domains
179.43.169.30
179.43.169.31
179.43.169.32
79.110.52.138
79.110.52.139
79.110.52.140
champions.gdtc.org
flowers.netplusplans.com
flowers.thegardnerco.com
pointers.ecostratas.com
popcorn.net-zerodesign.com
test.news.pocketstay.com

VictimTotal IP/Domains

VictimTotal IP/Domains
185.163.45.150
185.163.47.211
moreeu.cn
moreofit.cn

Post Exploitation Servers

Post Exploitation Servers
104.128.228.76
141.136.0.4
149.154.157.248
173.232.146.12
176.10.118.136
179.43.141.188
185.14.29.246
185.189.151.178
185.189.151.182
185.43.220.214
185.99.133.129
188.138.71.62
38.135.104.189
84.38.183.45
91.219.239.43
91.219.239.54
coloradospringsroofing.info
lamarfish.com
robotvice.com
roofingspecialists.info
signup-now.com
tanzaniafisheries.com

Domain Fronting Addresses

Domain Fronting Addresses
d3ser9acyt7cdp.cloudfront.net
twimg-us.azureedge.net

JavaScript Injection Points

Domain Fronting Addresses
jenkins.findfwd.com/sk-jspark_init.php
test.directfwd.com/sk-jspark_init.php
securesearchnow.com/sk-jspark_init.php
alertmeter.info/sk-jspark_init.php
freeresultsguide.com/sk-jspark_init.php

External Post Exploitation Script Addresses

External Post Exploitation Script Addresses
141.136.0.4/46tt83y6.ps1
173.232.146.12/Invoke-SocksProxy.psm1
176.10.118.136/pwrvw.ps1
179.43.141.188:80/46tt83y6.ps1
179.43.141.188:81/46tt83y6.ps1
179.43.141.188:82/46tt83y6.ps1
179.43.141.188:83/46tt83y6.ps1
185.14.29.246:80/Invoke-SocksProxy.psm1
185.189.151.178:80/Invoke-SocksProxy.psm1
185.189.151.182:443/46tt83y6.ps1
185.189.151.182:443/pwrvw.ps1
185.189.151.182:80/46tt83y6.ps1
185.189.151.182:80/pwrvw.ps1
185.43.220.214:80/Invoke-SocksProxy.psm1
185.43.220.214:80/pwrvw.ps1
185.99.133.129:80/p0fd798.ps1
188.138.71.62:80/Invoke-SocksProxy.psm1
188.138.71.62:80/p0fd798.ps1
38.135.104.189:80/46tt83y6.ps1
91.219.239.43:143/46tt83y6.ps1
91.219.239.43:80/46tt83y6.ps1
91.219.239.54:80/46tt83y6.ps1
91.219.239.54:81/46tt83y6.ps1
91.219.239.54:82/46tt83y6.ps1
coloradospringsroofing.info/file
roofingspecialists.info/file
rtfv.info/time