Rewterz Threat Alert – WannaCry Ransomware – Active IOCs
February 2, 2022Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
February 2, 2022Rewterz Threat Alert – WannaCry Ransomware – Active IOCs
February 2, 2022Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
February 2, 2022Severity
High
Analysis Summary
Iran-based nation-state threat group called Phosphorus (aka TA453, COBALT ILLUSION, Charming Kitten, Newscaster, Magic Hound, and APT35) that has been active since at least 2014. The threat group conducts cyberattacks against adversaries with Iran’s Islamic Revolutionary Guard Corps. The group uses novel techniques to evade detection using malicious PowerShell scripts. It operates as a remote access backdoor installed through these malicious scripts to further download malware payloads. With multistaged and modular toolkits, the Phosphorus toolkit becomes a stealthy threat against enemies of Iran.
Impact
- Exposure of Sensitive Data
- Remote Code Execution
- Gain Access
- Cyber Espionage
- Data Theft
Indicators of Compromise
IP
- 91[.]214[.]124[.]143
- 162[.]55[.]137[.]20
- 148[.]251[.]71[.]182
MD5
- 35687692c7c64595f0315fd7e3bb5443
- c1ffd59ce53351db4cb6a4a3c4428c7d
- 5f815434c2d993f1ef3b42f57677501a
- 8ef35bbb2319640c27cefab83ae4a7ff
- 8a4c433c7378c37d6df129705143a789
- d6e252326673733e93dfe35918e57a0e
- 68c1aa74fd77755a5e98be1b52ff4886
- 0b4e7f24ac9c8d68bdedee6595c5fa4f
- cecf62d4cbed33e6b4596e06bc5a14c5
- 382375f63717022494d40753d6b85e58
- 7af60476168bdeed25a919edf669175b
- 2067897831e6515cd718463822223b4a
SHA-256
- a4c908859d78973a94581ea010b10b9a83d25cbafe0c0704dc67ff43c05f0040
- 6f95ef04b6a6171369e8292d10931d12eec881429053c8bd10aad82fde538b03
- 3f9fb115afd2da19d3a231791dbe3c6f615c9908b7d12376ef8b097ebdfec6e9
- ac9ed12685f0094de0897ff72b6c457ff4fb8f8750cf1fedccd59c8976eb4f24
- a149b94b698ad8358ead04416bb2edb47780434d34050561fb7e7f658de0025e
- 40908a42c76aefcad928a2d2aca32bf7a8ff7b31f6e212b78802923c2c212b65
- 014e73d083df4a5816bd838d03a1b38e1438914154fe0bb7d988d05df0407b84
- d3aa8d62d7d5ed924eafb9fbfac39eafdb62ce7d804cc62385622faddf72a5fd
- 43ad88aeed362ea9a84b936e6aa58b75ab3a55ee968f7afce7010003317a340a
- 1223c3ed0c877c49f032a47c62ca63a9599ab21952ce19c9e9a892cc6a8a5531
- ac2235137a347e373db62c083b90106164554178c354364bde2f89178dc11ac4
- 5a383edfc3c71d55773df40c71473bd949eddc6828ed7e78977b87e1854ea90a
SHA-1
- 679703e9859c20ab39d6be992aa7d979710d9ace
- 3fcec932530557ea3d1f38f06f477db4b0be5acb
- 4810c782a8fe964512f08db91e8107e9af29edab
- 3bfec62c094366844c3e4c0e257e01678f55ef5b
- 0492b9ad7ae35ee1e0b6f53a6b7c2c75e9b5d427
- dd94382acb55e694ee38e1be7f5c0902be0e0d89
- 026db4159e7e36e00fdcef1e29f73b40030a3572
- dcf01d7641ec3fec213ab8335625a3554b943ac8
- 92ae97557e18ca810999fc05c18e3c6c75476444
- eeebce1a4c3e05e21689acef000a5fcf0f17abc3
- 32224892b670467e23874d7e8abd2ef92987a7e6
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.