Rewterz Threat Alert – APT10 Group Targets Multiple Sectors in Multiple Countries, Including Finance, IT and Energy sectors

Friday, February 1, 2019

SEVERITY: HIGH

 

 

CATEGORY: APT (Advanced Persistent Threat)

 

 

ANALYSIS SUMMARY

 

 

The group known as APT10 / Cloud Hopper hits victims in many different sectors, such as: information technology, finance, energy, healthcare and public health, communications, and critical manufacturing. The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group to steal a huge set of intellectual property and sensitive data of those MSSPs and their clients globally.

 

 

The campaign uses multiple malware families and variants, some of which are currently not detected by anti-virus signatures. Depending on the defensive mitigation in place, they may gain full access to networks and data in a way that appears legitimate to bypass detection. The campaign uses customized variants of Trojans and Malware that have been previously linked to Chinese espionage campaign.

 

 

INDICATORS OF COMPROMISE

 

IP(s) / Hostname(s)

  • 103[.]208[.]86[.]129
  • 107[.]181[.]160[.]109
  • 109[.]237[.]108[.]150
  • 109[.]237[.]108[.]202
  • 109[.]237[.]111[.]175
  • 109[.]248[.]222[.]85
  • 110[.]10[.]176[.]181
  • 151[.]101[.]100[.]73
  • 151[.]236[.]20[.]16
  • 158[.]255[.]208[.]170
  • 158[.]255[.]208[.]189
  • 158[.]255[.]208[.]61
  • 160[.]202[.]163[.]78
  • 160[.]202[.]163[.]79
  • 160[.]202[.]163[.]82
  • 160[.]202[.]163[.]90
  • 160[.]202[.]163[.]91
  • 162[.]243[.]6[.]98
  • 183[.]134[.]11[.]84
  • 185[.]117[.]88[.]77
  • 185[.]117[.]88[.]78
  • 185[.]117[.]88[.]81
  • 185[.]117[.]88[.]82
  • 185[.]133[.]40[.]63
  • 185[.]14[.]185[.]189
  • 185[.]141[.]25[.]33
  • 211[.]110[.]17[.]209
  • 31[.]184[.]198[.]23
  • 31[.]184[.]198[.]38
  • 61[.]97[.]241[.]239
  • 81[.]176[.]239[.]56
  • 86[.]106[.]102[.]3
  • 92[.]242[.]144[.]2
  • 95[.]183[.]52[.]57
  • 95[.]47[.]156[.]86
  • abc[.]wikaba[.]com
  • ad[.]getfond[.]info
  • additional[.]sexidude[.]com
  • announcements[.]toythieves[.]com
  • apple[.]cmdnetview[.]com
  • apple[.]ikwb[.]com
  • appledownload[.]ourhobby[.]com
  • appleimages[.]itemdb[.]com
  • appleimages[.]longmusic[.]com
  • appleimages[.]organiccrap[.]com
  • applemirror[.]organiccrap[.]com
  • applemirror[.]squirly[.]info
  • applemusic[.]isasecret[.]com
  • applemusic[.]itemdb[.]com
  • applemusic[.]wikaba[.]com
  • applemusic[.]xxuz[.]com
  • applemusic[.]zzux[.]com
  • appleupdate[.]itemdb[.]com
  • appleupdateurl[.]2waky[.]com
  • asfzx[.]x24hr[.]com
  • availab[.]wikaba[.]com
  • availability[.]justdied[.]com
  • babymusicsitetr[.]mymom[.]info
  • back[.]jungleheart[.]com
  • back[.]mofa[.]dynamic-dns[.]net
  • bak[.]ignorelist[.]com
  • bak[.]un[.]dnsrd[.]com
  • balance1[.]wikaba[.]com
  • barber[.]faqserv[.]com
  • be[.]mrslove[.]com
  • bexm[.]cleansite[.]biz
  • bezu[.]itemdb[.]com
  • billing[.]organiccrap[.]com
  • blaaaaaaaaaaaa[.]windowsupdate[.]3-a[.]net
  • brand[.]fartit[.]com
  • bulletproof[.]squirly[.]info
  • cdn[.]incloud-go[.]com
  • center[.]shenajou[.]com
  • cia[.]ezua[.]com
  • civilwar123[.]authorizeddns[.]org
  • civilwar520[.]onmypc[.]org
  • cnnews[.]mylftv[.]com
  • commissioner[.]shenajou[.]com
  • commons[.]onedumb[.]com
  • contactus[.]myddns[.]com
  • contactus[.]onmypc[.]us
  • contract[.]4mydomain[.]com
  • contractus[.]qpoe[.]com
  • contractus[.]zzux[.]com
  • cress[.]mynetav[.]net
  • ctldl[.]microsoftupdate[.]qhigh[.]com
  • ctldl[.]windowsupdate[.]authorizeddns[.]us
  • ctldl[.]windowsupdate[.]dnset[.]com
  • ctldl[.]windowsupdate[.]ezua[.]com
  • ctldl[.]windowsupdate[.]itsaol[.]com
  • ctldl[.]windowsupdate[.]organiccrap[.]com
  • ctldl[.]windowsupdate[.]x24hr[.]com
  • cvnx[.]zyns[.]com
  • dasonews[.]youdontcare[.]com
  • daughter[.]vizvaz[.]com
  • de[.]onmypc[.]info
  • dec[.]seyesb[.]acmetoy[.]com
  • details[.]squirly[.]info
  • development[.]shenajou[.]com
  • dick[.]ccfchrist[.]com
  • digsby[.]ourhobby[.]com
  • disruptive[.]https443[.]net
  • document[.]shenajou[.]com
  • download[.]windowsupdate[.]dedgesuite[.]net
  • download[.]windowsupdate[.]dnset[.]com
  • download[.]windowsupdate[.]itsaol[.]com
  • download[.]windowsupdate[.]x24hr[.]com
  • ea[.]onmypc[.]info edgar[.]ccfchrist[.]com
  • ehshiroshima[.]mylftv[.]com
  • eric-averyanov[.]wha[.]la
  • eu[.]acmetoy[.]com
  • eu[.]wha[.]la
  • ewe[.]toshste[.]com
  • fabian[.]ccfchrist[.]com
  • fbi[.]sexxxy[.]biz file[.]zzux[.]com
  • feed[.]jungleheart[.]com
  • film[.]everydayfilmlink[.]com
  • findme[.]epac[.]to
  • fire[.]mrface[.]com
  • firstnews[.]jkub[.]com
  • flea[.]poulsenv[.]com
  • foal[.]wchildress[.]com
  • fr[.]wikaba[.]com
  • freegamecenter[.]onedumb[.]com
  • ftp[.]2014[.]zzux[.]com
  • ftp[.]additional[.]sexidude[.]com
  • ftp[.]announcements[.]toythieves[.]com
  • ftp[.]appledownload[.]ourhobby[.]com
  • ftp[.]appleimages[.]itemdb[.]com
  • ftp[.]appleimages[.]longmusic[.]com
  • ftp[.]appleimages[.]organiccrap[.]com
  • ftp[.]applemirror[.]organiccrap[.]com
  • ftp[.]applemirror[.]squirly[.]info
  • ftp[.]applemusic[.]isasecret[.]com
  • ftp[.]applemusic[.]itemdb[.]com
  • ftp[.]applemusic[.]wikaba[.]com
  • ftp[.]applemusic[.]xxuz[.]com
  • ftp[.]applemusic[.]zzux[.]com
  • ftp[.]appleupdate[.]itemdb[.]com
  • ftp[.]asfzx[.]x24hr[.]com
  • ftp[.]availab[.]wikaba[.]com
  • ftp[.]availability[.]justdied[.]com
  • ftp[.]back[.]jungleheart[.]com
  • ftp[.]balance1[.]wikaba[.]com
  • ftp[.]be[.]mrslove[.]com
  • ftp[.]brand[.]fartit[.]com
  • ftp[.]bulletproof[.]squirly[.]info
  • ftp[.]civilwar123[.]authorizeddns[.]org
  • ftp[.]civilwar520[.]onmypc[.]org
  • ftp[.]cnnews[.]mylftv[.]com
  • ftp[.]commons[.]onedumb[.]com
  • ftp[.]contractus[.]qpoe[.]com
  • ftp[.]de[.]onmypc[.]info
  • ftp[.]details[.]squirly[.]info
  • ftp[.]disruptive[.]https443[.]net
  • ftp[.]ea[.]onmypc[.]info
  • ftp[.]ehshiroshima[.]mylftv[.]com
  • ftp[.]eric-averyanov[.]wha[.]la
  • ftp[.]eu[.]acmetoy[.]com
  • ftp[.]eu[.]wha[.]la
  • ftp[.]fire[.]mrface[.]com
  • ftp[.]fr[.]wikaba[.]com
  • ftp[.]fuck[.]ikwb[.]com
  • ftp[.]generat[.]almostmy[.]com
  • ftp[.]hii[.]qhigh[.]com
  • ftp[.]innocent-isayev[.]sexidude[.]com
  • ftp[.]invoices[.]sexxxy[.]biz
  • ftp[.]itlans[.]isasecret[.]com
  • ftp[.]itunesdownload[.]jkub[.]com
  • ftp[.]itunesdownload[.]wikaba[.]com
  • ftp[.]itunesimages[.]itemdb[.]com
  • ftp[.]itunesimages[.]itsaol[.]com
  • ftp[.]itunesimages[.]qpoe[.]com
  • ftp[.]itunesmirror[.]fartit[.]com
  • ftp[.]itunesmirror[.]itsaol[.]com
  • ftp[.]itunesmusic[.]ikwb[.]com
  • ftp[.]itunesmusic[.]jetos[.]com
  • ftp[.]itunesmusic[.]jkub[.]com
  • ftp[.]itunesmusic[.]zzux[.]com
  • ftp[.]itunesupdate[.]itsaol[.]com
  • ftp[.]itunesupdates[.]organiccrap[.]com
  • ftp[.]jimin[.]mymom[.]info
  • ftp[.]key[.]zzux[.]com
  • ftp[.]knowledge[.]sellclassics[.]com
  • ftp[.]lan[.]dynssl[.]com
  • ftp[.]latestnews[.]epac[.]to
  • ftp[.]latestnews[.]organiccrap[.]com
  • ftp[.]macfee[.]mrface[.]com
  • ftp[.]maffc[.]mrface[.]com
  • ftp[.]malware[.]dsmtp[.]com
  • ftp[.]mason[.]vizvaz[.]com
  • ftp[.]mediapath[.]organiccrap[.]com
  • ftp[.]Microsoft[.]got-game[.]org
  • ftp[.]microsoft[.]mrface[.]com
  • ftp[.]microsoftimages[.]organiccrap[.]com
  • ftp[.]microsoftmusic[.]mrbasic[.]com
  • ftp[.]microsoftqckmanager[.]pcanywhere[.]net
  • ftp[.]microsoftupdate[.]mrbasic[.]com
  • ftp[.]microsoftupdate[.]qhigh[.]com
  • ftp[.]mmy[.]ddns[.]us
  • ftp[.]mod[.]jetos[.]com
  • ftp[.]mofa[.]dynamic-dns[.]net
  • ftp[.]mofa[.]ns01[.]info
  • ftp[.]moscowdic[.]trickip[.]org
  • ftp[.]musicfile[.]ikwb[.]com
  • ftp[.]na[.]americanunfinished[.]com
  • ftp[.]newsdata[.]jkub[.]com
  • ftp[.]no[.]authorizeddns[.]org
  • ftp[.]nt[.]mynumber[.]org
  • ftp[.]nz[.]compress[.]to
  • ftp[.]ol[.]almostmy[.]com
  • ftp[.]oracleupdate[.]dns04[.]com
  • ftp[.]portal[.]mrface[.]com
  • ftp[.]portal[.]sendsmtp[.]com
  • ftp[.]portalser[.]dynamic-dns[.]net
  • ftp[.]praskovya-matveyeva[.]mefound[.]com
  • ftp[.]praskovya-ulyanova[.]dumb1[.]com
  • ftp[.]products[.]almostmy[.]com
  • ftp[.]products[.]cleansite[.]us
  • ftp[.]products[.]serveuser[.]com
  • ftp[.]purchase[.]lflinkup[.]org
  • ftp[.]recent[.]dns-stuff[.]com
  • ftp[.]recent[.]fartit[.]com
  • ftp[.]referred[.]gr8domain[.]biz
  • ftp[.]referred[.]yourtrap[.]com
  • ftp[.]register[.]ourhobby[.]com
  • ftp[.]registration2[.]instanthq[.]com
  • ftp[.]registrations[.]4pu[.]com
  • ftp[.]registrations[.]organiccrap[.]com
  • ftp[.]remeberdata[.]iownyour[.]org
  • ftp[.]reserveds[.]onedumb[.]com
  • ftp[.]rethem[.]almostmy[.]com
  • ftp[.]sdmsg[.]onmypc[.]org
  • ftp[.]se[.]toythieves[.]com
  • ftp[.]senseye[.]ikwb[.]com
  • ftp[.]septdlluckysystem[.]jungleheart[.]com
  • ftp[.]seraphim-yurieva[.]justdied[.]com
  • ftp[.]serv[.]justdied[.]com
  • ftp[.]server1[.]proxydns[.]com
  • ftp[.]seyesb[.]acmetoy[.]com
  • ftp[.]shugiin[.]jkub[.]com
  • ftp[.]sstday[.]jkub[.]com
  • ftp[.]support1[.]mrface[.]com
  • ftp[.]svc[.]dynssl[.]com
  • ftp[.]synssl[.]dnset[.]com
  • ftp[.]tamraj[.]fartit[.]com
  • ftp[.]ticket[.]instanthq[.]com
  • ftp[.]tophost[.]dynamicdns[.]co[.]uk
  • ftp[.]transfer[.]lflinkup[.]org
  • ftp[.]transfer[.]vizvaz[.]com
  • ftp[.]ugreen[.]itemdb[.]com
  • ftp[.]uk[.]dynamicdns[.]org[.]uk
  • ftp[.]un[.]ddns[.]info
  • ftp[.]un[.]dnsrd[.]com
  • ftp[.]usa[.]itsaol[.]com
  • ftp[.]well[.]itsaol[.]com
  • ftp[.]windowfile[.]itemdb[.]com
  • ftp[.]windowsimages[.]itemdb[.]com
  • ftp[.]windowsmirrors[.]vizvaz[.]com
  • ftp[.]windowsupdate[.]2waky[.]com
  • ftp[.]windowsupdate[.]3-a[.]net
  • ftp[.]windowsupdate[.]authorizeddns[.]us
  • ftp[.]windowsupdate[.]dns05[.]com
  • ftp[.]windowsupdate[.]esmtp[.]biz
  • ftp[.]windowsupdate[.]ezua[.]com
  • ftp[.]windowsupdate[.]fartit[.]com
  • ftp[.]windowsupdate[.]gettrials[.]com
  • ftp[.]windowsupdate[.]instanthq[.]com
  • ftp[.]windowsupdate[.]jungleheart[.]com
  • ftp[.]windowsupdate[.]lflink[.]com
  • ftp[.]windowsupdate[.]mrface[.]com
  • ftp[.]windowsupdate[.]mylftv[.]com
  • ftp[.]windowsupdate[.]rebatesrule[.]net
  • ftp[.]windowsupdate[.]sellclassics[.]com
  • ftp[.]windowsupdate[.]serveusers[.]com
  • ftp[.]yandexr[.]sellclassics[.]com
  • fukuoka[.]cloud-maste[.]com
  • gavin[.]ccfchrist[.]com
  • generat[.]almostmy[.]com
  • gifuonlineshopping[.]mynumber[.]org
  • glicense[.]shenajou[.]com
  • globalnews[.]wikaba[.]com
  • grammar[.]jkub[.]com
  • helpus[.]ddns[.]info
  • hii[.]qhigh[.]com
  • home[.]trickip[.]org
  • hukuoka[.]cloud-maste[.]com
  • ibmmsg[.]strangled[.]net
  • imitate[.]faqserv[.]com
  • incloud-obert[.]com
  • innocent-isayev[.]sexidude[.]com
  • innov-tec[.]com[.]ua
  • interpreter[.]shenajou[.]com
  • invoices[.]sexxxy[.]biz
  • iphone[.]vizvaz[.]com
  • ipv4[.]microsoftupdate[.]mrbasic[.]com
  • ipv4[.]windowsupdate[.]3-a[.]net
  • ipv4[.]windowsupdate[.]dnset[.]com
  • ipv4[.]windowsupdate[.]ezua[.]com
  • ipv4[.]windowsupdate[.]itsaol[.]com
  • ipv4[.]windowsupdate[.]lflink[.]com
  • ipv4[.]windowsupdate[.]mylftv[.]com
  • ipv4[.]windowsupdate[.]x24hr[.]com
  • itlans[.]isasecret[.]com
  • itunesdownload[.]jkub[.]com
  • itunesdownload[.]vizvaz[.]com
  • itunesdownload[.]wikaba[.]com
  • itunesimages[.]itemdb[.]com
  • itunesimages[.]itsaol[.]com
  • itunesimages[.]qpoe[.]com
  • itunesmirror[.]fartit[.]com
  • itunesmirror[.]itsaol[.]com
  • itunesmusic[.]ikwb[.]com
  • itunesmusic[.]jetos[.]com
  • itunesmusic[.]jkub[.]com
  • itunesmusic[.]zzux[.]com
  • itunesupdate[.]itsaol[.]com
  • itunesupdates[.]organiccrap[.]com
  • james[.]tffghelth[.]com
  • jcie[.]mofa[.]ns01[.]info
  • jimin[.]mymom[.]info
  • jp[.]rakutenmusic[.]com
  • jpnewslogs[.]sendsmtp[.]com
  • jpstarmarket[.]serveusers[.]com
  • Kawasaki[.]unhamj[.]com
  • kennedy[.]tffghelth[.]com
  • key[.]zzux[.]com
  • kikimusic[.]sellclassics[.]com
  • kmd[.]crabdance[.]com
  • knowledge[.]sellclassics[.]com
  • kxsbwappupdate[.]dhcp[.]biz
  • kztmusiclnk[.]dnsrd[.]com
  • lan[.]dynssl[.]com
  • latestnews[.]epac[.]to
  • latestnews[.]organiccrap[.]com
  • lennon[.]fftpoor[.]com
  • license[.]shenajou[.]com
  • lion[.]wchildress[.]com
  • lizard[.]poulsenv[.]com
  • macfee[.]mrface[.]com
  • machine[.]ddns[.]ms
  • maffc[.]mrface[.]com
  • mailowl[.]jkub[.]com
  • Malcolm[.]fftpoor[.]com
  • malware[.]dsmtp[.]com
  • mason[.]vizvaz[.]com
  • mediapath[.]organiccrap[.]com
  • microhome[.]wikaba[.]com
  • Microsoft[.]got-game[.]org
  • Microsoft[.]mrface[.]com
  • microsoftempowering[.]sendsmtp[.]com
  • microsoftgetstarted[.]sexidude[.]com
  • microsoftimages[.]organiccrap[.]com
  • microsoftmirror[.]mrbasic[.]com
  • microsoftmusic[.]itemdb[.]com
  • microsoftmusic[.]mrbasic[.]com
  • microsoftqckmanager[.]pcanywhere[.]net
  • microsoftstores[.]itemdb[.]com
  • microsoftupdate[.]mrbasic[.]com
  • microsoftupdate[.]qhigh[.]com
  • micrsoftware[.]dsmtp[.]com
  • mmy[.]ddns[.]us
  • mobile[.]2waky[.]com
  • mod[.]jetos[.]com
  • mofa[.]dynamic-dns[.]net
  • mofa[.]ns01[.]info
  • moonnightthse[.]zyns[.]com
  • moscowdic[.]trickip[.]org
  • moscowstdsupdate[.]toythieves[.]com
  • mrsloveaqx[.]mrslove[.]com
  • ms[.]ecc[.]u-tokyo-ac-jp[.]com
  • mseupdate[.]ourhobby[.]com
  • msg[.]ezua[.]com
  • msn[.]incloud-go[.]com
  • music[.]cleansite[.]us
  • musicfile[.]ikwb[.]com
  • musiclinker[.]jkub[.]com
  • mx[.]yetrula[.]eu
  • mytwhomeinst[.]sendsmtp[.]com
  • na[.]americanunfinished[.]com
  • networkjpnzee[.]mynetav[.]org
  • newcityoforward[.]rebatesrule[.]net
  • newsdata[.]jkub[.]com
  • newsfile[.]toythieves[.]com
  • newsreport[.]justdied[.]com
  • newtime[.]ezua[.]com
  • nezwq[.]ezua[.]com
  • nmrx[.]mrbonus[.]com
  • no[.]authorizeddns[.]org
  • nsa[.]mefound[.]com
  • nt[.]mynumber[.]org
  • nttdata[.]otzo[.]com
  • nuisance[.]serveusers[.]com
  • nz[.]compress[.]to
  • ol[.]almostmy[.]com
  • onlinednsserver[.]sendsmtp[.]com
  • oracleupdate[.]dns04[.]com
  • outlook[.]sindeali[.]com
  • owlmedia[.]mefound[.]com
  • peopleinfodata[.]3-a[.]net
  • pepper[.]sexxxy[.]biz
  • portal[.]mrface[.]com
  • portal[.]sendsmtp[.]com
  • portalser[.]dynamic-dns[.]net
  • praskovya-matveyeva[.]mefound[.]com
  • praskovya-ulyanova[.]dumb1[.]com
  • products[.]almostmy[.]com
  • products[.]cleansite[.]us
  • products[.]serveuser[.]com
  • program[.]acmetoy[.]com
  • purchase[.]lflinkup[.]org
  • rain[.]orctldl[.]windowsupdate[.]authorizeddns[.]us
  • read[.]xxuz[.]com
  • recent[.]dns-stuff[.]com
  • recent[.]fartit[.]com
  • redflower[.]isasecret[.]com
  • referred[.]gr8domain[.]biz
  • referred[.]yourtrap[.]com
  • register[.]ourhobby[.]com
  • registration2[.]instanthq[.]com
  • registrations[.]4pu[.]com
  • registrations[.]organiccrap[.]com
  • remeberdata[.]iownyour[.]org
  • reserveds[.]onedumb[.]com
  • rethem[.]almostmy[.]com
  • sakai[.]unhamj[.]com
  • sappore[.]cloud-maste[.]com
  • sc[.]weboot[.]info
  • scorpion[.]poulsenv[.]com
  • sdmsg[.]onmypc[.]org
  • se[.]toythieves[.]com
  • secertnews[.]mrbasic[.]com
  • send[.]mofa[.]ns01[.]info
  • sendmsg[.]jumpingcrab[.]com
  • senseye[.]ikwb[.]com
  • septdlluckysystem[.]jungleheart[.]com
  • seraphim-yurieva[.]justdied[.]com
  • serv[.]justdied[.]com
  • server1[.]proxydns[.]com
  • seyesb[.]acmetoy[.]com
  • shrimp[.]bdoncloud[.]com
  • shugiin[.]jkub[.]com
  • singed[.]otzo[.]com
  • sojourner[.]mypicture[.]info
  • sstday[.]jkub[.]com
  • stone[.]jumpingcrab[.]com
  • style[.]u-tokyo-ac-jp[.]com
  • support1[.]mrface[.]com
  • svc[.]dynssl[.]com
  • synssl[.]dnset[.]com
  • taipeifoodsite[.]ocry[.]com
  • tamraj[.]fartit[.]com
  • tfa[.]longmusic[.]com
  • ticket[.]instanthq[.]com
  • tophost[.]dynamicdns[.]co[.]uk
  • transfer[.]lflinkup[.]org
  • transfer[.]vizvaz[.]com
  • travelyokogawafz[.]fartit[.]com
  • trout[.]belowto[.]com
  • twmusic[.]proxydns[.]com
  • twpeoplemusicsite[.]my03[.]com
  • twsslpopservupro[.]dynssl[.]com
  • twtravelinfomation[.]toythieves[.]com
  • twx[.]mynumber[.]org
  • ugreen[.]itemdb[.]com
  • uk[.]dynamicdns[.]org[.]uk
  • ukuoka[.]cloud-maste[.]com
  • ultimedia[.]vmmini[.]com
  • un[.]ddns[.]info
  • un[.]dnsrd[.]com
  • updates[.]itsaol[.]com
  • usa[.]itsaol[.]com
  • usiness[.]vmmini[.]com
  • usliveupdateonline[.]ygto[.]com
  • ut-portal-u-tokyo-ac-jp[.]tyoto-go-jp[.]com
  • v4[.]microsoftupdate[.]mrbasic[.]com
  • v4[.]windowsupdate[.]dedgesuite[.]net
  • v4[.]windowsupdate[.]dnset[.]com
  • v4[.]windowsupdate[.]itsaol[.]com
  • v4[.]windowsupdate[.]x24hr[.]com
  • wcxh[.]mynetav[.]net
  • well[.]itsaol[.]com
  • whale[.]toshste[.]com
  • windowfile[.]itemdb[.]com
  • windowsimages[.]itemdb[.]com
  • windowsmirrors[.]vizvaz[.]com
  • windowsupdate[.]2waky[.]com
  • windowsupdate[.]3-a[.]net
  • windowsupdate[.]acmetoy[.]com
  • windowsupdate[.]authorizeddns[.]net
  • windowsupdate[.]authorizeddns[.]org
  • windowsupdate[.]authorizeddns[.]us
  • windowsupdate[.]dedgesuite[.]net
  • windowsupdate[.]dns05[.]com
  • windowsupdate[.]dnset[.]com
  • windowsupdate[.]esmtp[.]biz
  • windowsupdate[.]ezua[.]com
  • windowsupdate[.]fartit[.]com
  • windowsupdate[.]gettrials[.]com
  • windowsupdate[.]instanthq[.]com
  • windowsupdate[.]itsaol[.]com
  • windowsupdate[.]jungleheart[.]com
  • windowsupdate[.]lflink[.]com
  • windowsupdate[.]mrface[.]com
  • windowsupdate[.]mylftv[.]com
  • windowsupdate[.]organiccrap[.]com
  • windowsupdate[.]rebatesrule[.]net
  • windowsupdate[.]sellclassics[.]com
  • windowsupdate[.]serveusers[.]com
  • windowsupdate[.]wcwname[.]com
  • windowsupdate[.]x24hr[.]com
  • windowsupdates[.]itemdb[.]com
  • yahoo[.]incloud-go[.]com
  • yandexr[.]sellclassics[.]com
  • yfrfyhf[.]youdontcare[.]com
  • yokohamajpinstaz[.]mrbonus[.]com
  • zebra[.]bdoncloud[.]com
  • zebra[.]incloud-go[.]com
  • zero[.]pcanywhere[.]net

 

 

URLs

 

 

  • catholicmmb[.]com
  • cloud-kingl[.]com
  • cwiinatonal[.]com
  • jica-go-jp[.]bike
  • jica-go-jp[.]biz
  • jimin-jp[.]biz
  • meiji-ac-jp[.]com
  • mofa-go-jp[.]com
  • salvaiona[.]com

 

 

Filename

 

 

  • mtcReport[.]ktc
  • libvlc[.]dll
  • VeetlePlayer[.]exe

 

 

Malware Hash (MD5/SHA1/SH256)

 

 

  • 009b639441ad5c1260f55afde2d5d21fc5b4f96c
  • 01edb82de7b9666eaa5d2791a14092f2e73d2795
  • 02e702af02a6b9a8b31cd470c18e383093ef4ed404811b414d6d131df01f9acd
  • 06b0af6ff00647f57119d8a261829f73
  • 0876f0cb9d03bc5539b242a374976b217095ec0d
  • 0b05143e2e4b56dbf5ef7a58b5013bc3
  • 0c0a39e1cab4fc9896bdf5ef3c96a716
  • 0f6b00b0c5a26a5aa8942ae356329945
  • 19417f7551bc54db6783823325557773
  • 19610f0d343657f6842d2045e8818f09
  • 19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b
  • 1b891bc2e5038615efafabe48920f200
  • 1df29c63c917b089fe0fc099e2783c0c679892e5
  • 1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
  • 23d03ee4bf57de7087055b230dae7c5b
  • 2a07420c768fa49c05327741e0709c3ac5a71a06
  • 2c1b42e8c8acea5082275b6ea5f5c64ebaf4fa30
  • 2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910
  • 2d5c5e210c7db4ba6012bd761154db0d1f5cd658
  • 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c
  • 312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3
  • 316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d
  • 3afa9243b3aeb534e02426569d85e517
  • 3cbb5664d70bbe62f19ee28f26f21d7e
  • 3cfb1bf0063ea9d893f9e95c11e223cc06299337
  • 3ebbfeee3a832c92bb60b531f749230e
  • 4132068417bcbffec16ac655a14f29aa74189fcb
  • 42d5c9c4c02e6d5c88ec0acce72327389a92f0d7
  • 4521a74337a8b454f9b80c7d9e57b4c9580567f84e513d9a3ce763275c55e691
  • 45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2
  • 472b1710794d5c420b9d921c484ca9e8
  • 4cc0adf4baa1e3932d74282affb1a137b30820934ad4f80daceec712ba2bbe14
  • 5412cddde0a2f2d78ec9de0f9a02ac2b22882543c9f15724ebe14b3a0bf8cbda
  • 56126b1c19c1121c0f5065204ef5cc4633079b98
  • 56d6c3ffa4f3d5ae742f937fae85f0995814cf90
  • 5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1
  • 598ff82ea4fb52717acafb227c83d474 5a78974df88ab6a67bb72a5c7a437fb2
  • 5b045d98606f000a236b1bd4ac4c9e482b3f5475
  • 61df36789f7d2314c79a41be512300d7c84131bb 6235e5a45fa51a10826ced8e90adcf93
  • 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
  • 6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e
  • 667989ffa5e77943f3384e78adf93510
  • 68e3f80012a78518ddbde055b5e42dd4d82e58e5
  • 6bc2558eb8915edc19835d9e734023a2368f876971f5580478782c7444f9581c
  • 6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586
  • 6ec0f91b5b74bc06ebb561cdeb0f4796
  • 6edd9bb17a999b5f5abcf123a2701e4ea4ada9a2
  • 6fccfa1559a64edff571d6042abd8a59
  • 741e955a9e458a70b5c085b3bfba800fdfb4ccde
  • 75500bb4143a052795ec7d2e61ac3261
  • 76721d08b83aae945aa00fe69319f896b92c456def4df5b203357cf443074c03
  • 7891f00dcab0e4a2f928422062e94213
  • 79f61eda72c41b5ec526a3d5a1a91f86f0bc0eca470e07ab50d9626231143f11
  • 7cace2e51e8ecc5ddb9720a8dc9e1f3596fe343b
  • 7cb04a4b86d998604341bc2b610a0a556830993d
  • 7d10708a518b26cc8c3cbfbaa224e032
  • 7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04
  • 7fe6c8191749767254513b03da03cfbf6dd6c139
  • 80dfcb6ec50f381f153ade2866f18d4b
  • 81ba8a1a9e26950c52580f5b046dbe1c8b6f6868
  • 81df89d6fa0b26cadd4e50ef5350f341
  • 83d419bc812d08c9d09baa49a4313a81eda54702
  • 850a7e877d8e68188714ff5344f6fc15
  • 86cea2cb7510a6031d44b8472d806ae2205f438f
  • 8a93859e5f7079d6746832a3a22ff65c
  • 8ece7de82e1bdd4659a122c06ea9533e
  • 9188923fcfca6bda9e13ec2efeb3b4ccc5f560cc
  • 92dbbe0eff3fe0082c3485b99e6a949d9c3747afa493a0a1e336829a7c1faafb
  • 95ab56ab1f0d4f010569ead7915fbc833a36cd73
  • 9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c
  • 9ae3b326cf716fbccbecfd292846a3a9
  • 9c2f3bbfbb1cdfe30ef0aad88d461daf
  • 9e0b78aacf4871cddc0468d517f928970fd54c8d
  • 9f01dd2b19a1032e848619428dd46bfeb6772be2e78b33723d2fa076f1320c57
  • a6284ed7e11fdffa6b187c0fefafa421e0f56318
  • a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
  • a7d0b38bda630c927820380d311ddc70a9606407
  • a82a59fd073c3c868be93f52d09203e93e87d79a
  • a91669bb4dcb713e997ddf98417730de78cb990a
  • a954a3f20ef8065d98d9e3a3c5ae254e27c63bf6
  • aaa19e15cfe66a105428048f3242889afae170dd
  • aaec782a5256150c88b75c912bf4d091cf0c32e9
  • aaee7385b2c836e9d3e14812807f911c2144a894
  • ad879f64e9137836283592720d95aadb
  • ae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145
  • aee17dbab01ed334bb94506fcbc2ed259242159e
  • af406d35c77b1e0df17f839e36bce630
  • af9dde68c73d69ea535103e963f09587b6aa020081bbce06347de05fa469c257
  • b0649c1f7fb15796805ca983fd8f95a3
  • b1043250c499ccf0ad56a688ccce662f42386869
  • b20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df
  • b966657d35bba9416775d320bb87086001995bbe
  • bb269704ba8647da97377440d403ae4d
  • bc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91
  • bd4110fdaa3c99c09ad4883085ddd62b6f9f9bd7
  • c0c8dcc9dad39da8278bf8956e30a3fc
  • c1cb28327d3364768d1c1e4ce0d9bc07
  • c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d
  • c6b8ed157eed54958da73716f8db253ba5124a0e4b649f08de060c4aa6531afc
  • c793c4e63fe61140dc92749a38e63820776548a3
  • ca119725c2cef7baad0690d82b770c25ff64c7e7f1fc9e0e65c91d20151cd204
  • ca9644ef0f7ed355a842f6e2d4511546
  • cb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628
  • d1bab4a30f2889ad392d17573302f097
  • d316848ce47c098ccfe72aa7311aaffa
  • da3cb3ade7f129838ff3c816b223859d91d377b6
  • db212129be94fe77362751c557d0e893
  • dbb867c2250b5be4e67d1977fcf721fb
  • dcff19fc193f1ba63c5dc6f91f00070e6912dcec3868e889fed37102698b554b
  • dd0494eb1ab29e577354fca895bec92a
  • de5af856804974ba3df03928fff03447e8f4c9c2
  • df8f49a3fdf8a9d550b22d65d21a8006ff593ac4
  • e418387dd296e00aea9141c8c4b73690495640a0
  • e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e
  • e88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0
  • e975d5b29d988929e5ad3a8fa19083d1
  • f03f70d331c6564aec8931f481949188
  • f1ca9998ca9078c27a6dab286dfe25fcdfb1ad734cc2af390bdcb97da1214563
  • f251485a62e104dfd8629dc4d2dfd572ebd0ab554602d682a28682876a47e773
  • f50460d3ddcc9628d0e86de1aa292895
  • f5744d72c6919f994ff452b0e758ffee
  • f586edd88023f49bc4f9d84f9fb6bd7d
  • fa89eeaac3c9de18aee8c58b6580dfea
  • fadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0
  • fb4e516e1e2a369d1cdfb208ee885cb4848bed707a0514367f464c8e7519cb50
  • fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
  • fd6a956a7708708cddff78c8505c7db73d7c4e961da8a3c00cc5a51171a92b7b
  • ff0b79ed5ca3a5e1a9dabf8e47b15366c1d0783d0396af2cbba8e253020dbb34

 

 

Remediation

 

Block the threat indicators at their respective controls. Keep systems up-to-date that are patched against all known vulnerabilities.

Researchers also suggest to conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.

Implement an Intrusion Detection System (IDS) to ensure continuous monitoring, sending alerts to a SIEM tool and monitoring internal activity.

 

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 22, August 2019 Rewterz Threat Advisory – CVE-2019-15295 – BitDefender Antivirus Free 2020 – Privilege Escalation to SYSTEM
  • 22, August 2019 Rewterz Threat Alert – Banks All over the World Attacked by Silence Advanced Hackers
  • 22, August 2019 Rewterz Threat Alert – Adwind Bypasses Microsoft ATP to Attack Utilities Industry
  • 21, August 2019 Rewterz Threat Advisory – Multiple vulnerabilities fixed in VLC media player

Copyright © Rewterz. All rights reserved.