Rewterz Threat Advisory – ICS: Rockwell Automation FactoryTalk Linx
November 25, 2020Rewterz Threat Alert – New Version of Stantinko Group Linux Proxy Trojan Masquerades as httpd
November 25, 2020Rewterz Threat Advisory – ICS: Rockwell Automation FactoryTalk Linx
November 25, 2020Rewterz Threat Alert – New Version of Stantinko Group Linux Proxy Trojan Masquerades as httpd
November 25, 2020Severity
High
Analysis Summary
APT C-23 also known as AridViper and Desert Falcon has resurfaced with a malicious documents targeting victims about the sensitivity of the never ending conflict between Israel and Palestine. The group’s discovery came around March 2017 with their main targets emerged as Middle East. The group has previously faked an android app to deploy Android/SpyC23.A mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps. In this instance, the group has dropped a malicious document to confuse the victim about a malicious document relating to CIA, Hamas is shown to confuse the victim and meanwhile RAT is executed to perform remote control.
Impact
Gain control of victim’s system
Indicators of Compromise
Filename
- Financing USA is illegal and suspicious organizations[.]exe
MD5
- 9fcb1cb7e8bb3424ce7e83ce5ad9a78d
SHA-256
- b39c6bca4b7745a9af4a9345020950693d8c2326f1187007df1f6305e8f64228
SHA1
- 89d1ba0a4aa7a4497906fa8a3840524dcbe60248
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.