More detail on the attack
FireEye decided not to release any real details on this activity. RSA published a blog post showing exactly how the IP address was encoded and how to decode it. As well as signatures and rules to look for malware on your system that uses it. FireEye just gave a few MD5 hashes for a small set of samples it saw.
https://blogs.rsa.com/wolves-among-us-abusing-trusted-providers-malware-operations/
Biting the hand that feeds IT
