Scenario
Your CEO has forwarded you an article from Kaspersky. https://securelist.com/apt-phantomlance/96772/#infrastructure.
The CEO wanted you to review the publication and see if your organization has anything to worry about, and if your organization has been affected by this attack.
Goal
Read the article and then investigate the Command and Control domains and IP address and see what you can find out.
Important Note: During your investigation you have informed your team not to directly visit the website in order to prevent any potential malware from entering the organization.
Objectives
Objective 1: What are the aspects of the attacks?
Objective 2: Is the attack still active?
Objective 3: Does your organization need to worry about this attack?
Objective 4: have you seen any to the IOCs?
In this exercise I will highlight the differences in RiskIQ PassiveTotal account types and integrations.
Free Community Account
Paid Enterprise Account
PassiveTotal Enterprise with the CrowdStrike integration enabled.
Searches
https://securelist.com/apt-phantomlance/96772/#infrastructure
https://community.riskiq.com/search/88.150.138.77/resolutions
https://community.riskiq.com/search/ps.andreagahuvrauvin.com
https://community.riskiq.com/search/paste.christienollmache.xyz/resolutions
https://community.riskiq.com/search/att.illagedrivestralia.xyz