Financial Sector Cyber Intelligence Group: APT Targeting U.S. Financial Institutions

CIG Circular 44 – HTTP POST Request Used for Implant Communications

Page Count: 2 pages
Date: September 3, 2015
Restriction: TLP: GREEN
Originating Organization: Department of the Treasury, Financial Sector Cyber Intelligence Group
File Type: pdf
File Size: 160,803 bytes
File Hash (SHA-256): 795A60188A742F2B6553D3A17D468F55F12AF5848A9CBABBFAA31D73BFBDAF7F

Download File


This circular is intended to inform network security specialists of cyber actors’ tactics, techniques, procedures (TTPs) and associated indicators, to assist in network defense capabilities and planning.


This circular provides a sample HTTP POST request related to malware used in recent spear-phishing campaigns by an APT actor that has previously targeted the U.S. financial sector.


As of July 2015, an APT actor that has previously targeted the U.S. financial sector used an implant to provide command and control (C2), according to credible reporting. Implant communications were observed between administrative infrastructure and known malware C2 nodes used in spear-phishing campaigns in July 2015. The communication from administrative infrastructure was an HTTP POST request. The file name, content-length, and host associated with the request varied. A sample of the HTTP POST request is provided below:

POST /style.php HTTP/1.1
Accept-Encoding: identity
Content-Length: 272
Host: [HOST]
Content-Type: multipart/form-data; boundary=
Connection: close
User-Agent: Python-urllib/2.7
Content-Disposition: form-data; name=”action”
getAll –
Content-Disposition: form-data; name=”type”

The actor also obfuscated executable files by Base64 encoding the files to appear as SSL certificates.

Share this: