HT ZeroDays

[chrisddom]

http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-government-with-hacking-team-flash-exploit/
http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/

Indicators

UPS
a2fe113cc13acac2bb79a375f692b8ba5cc2fa880272adc7ab0d01f839e877ff
Domains
rpt.perrydale[.]com
report.perrydale[.]com
IPs
194.44.130[.]179
URLs
rpt.perrydale[.]com /en/show.swf
report.perrydale[.]com /ema/show.swf
rpt.perrydale[.]com /en/b.gif
report.perrydale[.]com /ema/b,gif

PawnStorm
192[.]111[.]146[.]185 (direct to IP call)
www[.]acledit[.]com
www[.]biocpl[.]org

[kbandla]

i'm going to wait on this one. Will add it after a few more weeks.

[chrisddom]

Yeah good call - there are at least 5 distinct articles on different groups using these already

[kbandla]

Another HT related article:
https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

@kbandla also add this one in, closing out the origin ticket: http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exploit-supply-chains-and-digital-quartermasters/