Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
April 8, 2022Rewterz Threat Alert – FormBook Malware – Active IOCs
April 8, 2022Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
April 8, 2022Rewterz Threat Alert – FormBook Malware – Active IOCs
April 8, 2022Severity
High
Analysis Summary
APT 10 (aka Cicada, MenuPass, Red Apollo, Stone Panda, and POTASSIUM) is a Chinese nation-state actor that targets governments in Asia, Europe, and the United States. The group has been active since at least 2006 and is linked to the Tianjin field office of the Ministry of State Security in China. The APT supports Chinese organizations and corporations by targeting enemy industries and businesses to obtain intelligence. The group has used traditional spear-phishing techniques and using MSPs to access the target’s networks. In recent attacks, after laying low for some time, APT 10 has been running a campaign that has targeted NGOs (non-governmental organizations) and legal, governmental, and religious organizations. The group uses Sodamaster backdoor and a custom loader to conduct the attacks. MimiKatz was also used by the threat group to drop mimilib.dll to obtain credentials. The threat actors are also seen exploiting the legitimate VLC Media Player using a custom loader through the VLC Exports function.
Impact
- Unauthorized Access
- Sensitive Data Theft
- Cybe Espionage
Indicators of Compromise
IP
- 88[.]198[.]101[.]58
- 168[.]100[.]8[.]38
MD5
- dc017b3ace102dbeab7225d4f7f79115
- bdd548819f74096d2de4a468f987b1f3
- ddacd8bc05515fb92abaf2a9ebec76ce
- c0e649fa591ed6c5746d394cb2de3c72
SHA-256
- 20fc3cf1afcad9e6f19e9abebfc9daf374909801d874c3d276b913f12d6230ec
- 2317d3e14ab214f06ae38a729524646971e21b398eda15cc9deb8b00b231abc3
- 2417da3adebd446b9fcb8b896adb14ea495a4d923e3655e5033f78d8e648fcc8
- 83030f299a776114878bcd2ade585d97836ef4ddb6943cb796be2c88bcb83a83
SHA-1
- 82e410f7c4e9ecf44831ffb4b9b95da44c104200
- d8b631c551845f892ebb5e7d09991f6c9d4facad
- a4b9a9edcca8f3eb39ecf157c10db7553e932a54
- d2b8f4fe6eedb8b87521772fc823da596f2403b7
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/ attachments sent by unknown senders.