Rewterz Threat Advisory –Oracle Patches Critical Vulnerabilities
July 21, 2021Rewterz Threat Alert –MosaicLoader – New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
July 21, 2021Rewterz Threat Advisory –Oracle Patches Critical Vulnerabilities
July 21, 2021Rewterz Threat Alert –MosaicLoader – New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
July 21, 2021Severity
High
Analysis Summary
Havex is a Remote Access Trojan (RAT) that communicates with a Command and Control (C&C) server. The C&C server can deploy payloads that provide additional functionality. The threat actors deploy malware using phishing emails, redirections to compromised websites, and most recently, update installers on at least three ICSs vendor websites. According to analysis, these techniques could have allowed attackers to access the networks of systems that have installed the software.
Background
Since at least September 2020, a Russian state-sponsored APT actor—known variously as Berserk Bear, Energetic Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala in open-source reporting—has conducted a campaign against a wide variety of U.S. targets. The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and exfiltrated data from at least two victim servers. The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high value assets in order to exfiltrate data. In at least one compromise, the APT actor laterally traversed an SLTT victim network and accessed documents related to Sensitive network configurations and passwords, Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA), IT instructions, such as requesting password resets, Vendors and purchasing information, Printing access badges etc.
Impact
- Information Theft
- Credential Theft
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 1d6b11f85debdda27e873662e721289e
- ba8da708b8784afd36c44bb5f1f436bc
- 6bfc42f7cb1364ef0bfd749776ac6d38
- 4102f370aaf46629575daffbd5a0b3c9
SHA-256
- 0b74282d9c03affb25bbecf28d5155c582e246f0ce21be27b75504f1779707f5
- 7933809aecb1a9d2110a6fd8a18009f2d9c58b3c7dbda770251096d4fcc18849
- 6aca45bb78452cd78386b8fa78dbdf2dda7fba6cc06482251e2a6820849c9e82
- 004c99be0c355e1265b783aae557c198bcc92ee84ed49df70db927a726c842f3
SHA-1
- 7f249736efc0c31c44e96fb72c1efcc028857ac7
- 1c90ecf995a70af8f1d15e9c355b075b4800b4de
- db8ed2922ba5f81a4d25edb7331ea8c0f0f349ae
- efe9462bfa3564fe031b5ff0f2e4f8db8ef22882
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.