Openhunting Threat Library

NewsReels

NewsReels
(Type: Backdoor, Exfiltration)

The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.

[News Analysis] Trends:

Total Trend: 1

Trend Per Year
1
2018


Trend Per Month
1
2018



[News Analysis] News Mention Another Threat Name:

33 - Auriga33 - Biscuit33 - Bouncer33 - Combos33 - CookieBag33 - Dairy33 - GetMail33 - GlooxMail33 - Goggles33 - Hacksfase33 - Helauto33 - Kurton33 - ManItsMe33 - MAPIget33 - MiniASP33 - NewsReels33 - SeaSalt33 - StarsyPound33 - Sword33 - TabMsgSQL33 - Tarsip33 - WebC2-AdSpace33 - WebC2-Ausov33 - WebC2-Bolid33 - WebC2-Cson33 - WebC2-DIV33 - WebC2-GreenCat33 - WebC2-Head33 - WebC2-Kt333 - WebC2-Qbp33 - WebC2-Rave33 - WebC2-Table33 - WebC2-UGX33 - WebC2-Yahoo


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

APT1

2018 by Mandiant from Mandiant

Basic Information (Credit @etda.or.th)

Tool: NewsReels

Names: NewsReels

Description: The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.

Category: Malware

Type: Backdoor, Exfiltration

Information: https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

Information: http://contagiodump.blogspot.com/2013/03/mandiant-apt1-samples-categorized-by.html

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact