Rewterz Threat Advisory – Multiple Microsoft Edge (Chromium-based) Vulnerabilities
December 7, 2022Rewterz Threat Alert – AsyncRAT – Active IOCs
December 8, 2022Rewterz Threat Advisory – Multiple Microsoft Edge (Chromium-based) Vulnerabilities
December 7, 2022Rewterz Threat Alert – AsyncRAT – Active IOCs
December 8, 2022Severity
High
Analysis Summary
Researchers have uncovered a large-scale phishing campaign aimed at the government, academic, foundation, and research sectors, with a focus on Australia, Japan, Taiwan, Myanmar, and the Philippines.
The campaign was observed from March 2022 to October 2022 and it is tied to an Advanced Persistent Threat (APT) group known as Earth Preta (also known as Mustang Panda and Bronze President). Earth Preta is well known for developing its own loaders and using them in conjunction with existing tools like PlugX and Cobalt Strike to compromise.
In the latest campaign, Earth Preta exploited fake Google accounts to spread malware via spear-phishing emails, the malware was initially stored in an archive file (such as a rar/zip/jar file) and distributed through Google Drive links. Throughout the campaign, researchers discovered new malware families utilized by the gangs (TONEINS and TONESHELL), including PUBLOAD, a previously disclosed malware.
PUBLOAD – A stager capable of downloading next-stage payload from its command and control (C&C) server. Cisco Talos initially revealed this in May 2022.
TONEINS – A first stage of malware that will install the TONESHELL backdoor and establishes the persistence for it.
TONESHELL – Mostly utilized backdoor in this campaign. It is a shellcode loader that uses a 32-byte key stored in memory to load and decode the backdoor shellcode.
Additionally, the threat actors employ a variety of techniques, including code obfuscation and unique exception handlers, to avoid discovery and analysis. Also, the senders of the spear-phishing emails and the owners of Google Drive URLs were discovered to be the same.
“we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.”
At least three types of arrival vectors were observed in the latest campaign as the intrusions’ entry points, including over 30 lure archives around the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files.
Researchers concluded from their analysis that after the gang has gained access to a victim’s networks, the sensitive data they have taken can be manipulated as entry points for the subsequent wave of intrusions.
They also share some mitigation plans including:
- Implement ongoing phishing awareness training for partners and staff.
- Always double-check the sender and subject of an email before opening it, especially if it has an unidentifiable sender or an ambiguous subject.
- Use a multi-layered protection solution to identify and block threats as far left in the malware infection chain as feasible.
Impact
- Information Theft
- Exposure To Sensitive Data
Indicators of Compromise
MD5
69b40a4dbca10fe6b6353f3553785080
c5e26581c0f47b2452bb1d695769b130
f361bee96333c734bad1b399ec4d8862
ca6b346b63b2f6c1d70d03f717d3e844
c4da531b7391a99e1a1a23a405d19bf6
SHA-256
2f2a8a001072f14c066bea15388af2155b02e0046180e450268db6bcdafa6e5a
064fe5bc15828693ac62cfd7e83f705d734e2554d2ff8ed82f701864512e7624
536fa7a7bcc7ba39da329a1656a2ac0448a9f01885bf48de6f15f554ce7994ac
229508972ad52e0ae1ff2d74fc70ebefd8b816e212ced849fbe6c1c2a1350ef6
447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197
SHA-1
a0fdf1684904a091d5280844d4368e47357bbc9e
32a58791de03b504eccf1956da311cbc0eefa5c0
e6cbb0d14be2953d6882c5bf2808ea0b8e5c8d88
336f0ce13eb3af378207fa7ac4d90f764b192eac
69baa04bb96fba844c4cb0b6eb0934c56dfc8010
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Implement ongoing phishing awareness training for partners and staff.
- Use a multi-layered protection solution to identify and block threats as far left in the malware infection chain as feasible.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets