• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Emotet – Active IOCs
November 25, 2021
Rewterz Threat Alert – New JavaScript Malware Loader infects Rats on Windows PCs – Active IOCs
November 25, 2021

Rewterz Threat Alert – APT C-23 aka AridViper Active in Middle East Region – Active IOCs

November 25, 2021

Severity

Medium

Analysis Summary

APT C-23 also known as AridViper and Desert Falcon is active in middle east region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps. The ongoing campaign is targeting Middle Eastern Country Sudan with the disguised document impersonating the embassy in Sudan’s capital Khartoum and asking for a diplomatic permission to land two military aircrafts (C-130 + C-17) and a permit which should be valid for 72  hours. The timing of these documents are really critical as there’s ongoing activity in the Middle Eastern Region regarding the policy making and ties with the other countries. 

The decoy documents looks like an attempt to sabotage the process of diplomatic talks going on between Middle eastern countries.    

Image

This is relevant to the ongoing spying campaign already active in the middle east via Android Mobile apps which confers resistance to takedowns and manual removal as well. The spyware are in the form of apps that includes App Updates, System Apps Updates, or Android Update Intelligence, which are being sent to the users in the form of text messages and after installations in asks for specific permissions which includes access media apps and other files app in your phone.

Impact

  • Information theft and espionage
  • Data exfiltration

Indicators of Compromise

Filename

  • rar[.]ملف التدريب والتجنيس الجديد المتعلق بالمنتسبين الجدد

MD5

  • ffc97a79f87dbc48b2230566b7af189f
  • ed11daeb1f49f9dc73c3ff72c92416b4
  • bb791edaf5cba30d59f70c1e2e8c6672
  • fe4a7e55e17aba385a477bea2c6ef837
  • 73062a456903a4d12ba64423e0071dd0
  • 117f9b3baa5349afb60377421d53cfef
  • 29ad37ab4e5e78f34ae8232f93d5bfa2
  • 2a37ab6e3ba450fdc2b27328f52f0226

SHA-256

  • e00179c7bc76f90864f32275de183f76730cd4a99173c0b6fd6504afa02c8d55
  • db511ead013e21f51303dd4f6a856418f88d72a7f95c0b2ace0c3ba80866bdf6
  • c054f6597665fccd18751a88d15488657ff19a286dbd4aac7ecb773b0df60c4d
  • 57bc6b95ecea7e0ca34174f1190de1e9664408311c973866b853d24f41b0e760
  • 57afc0eac8b23d955b75585d5ca7b086a7e17df94b9cb276847ec1c5fe6b6c1a
  • 56becf7125a1596e30f80befb986ae96e18da5be40cc3f78ac0c35ae7a4e17ae
  • 33f79a64fee300f60541a96e2b0c4bcec3aac6f717dff52baa9da7ed803ed6f3
  • c8103ef05c45313100802128e8856713e08bda283af796002e139d3ae78bee15

SHA-1

  • e5abf9f727c4b557f7450cfaccc907f35074fd2d
  • 5df9d696f1bd2ee560a2c97ca07a6bc22a9a8518
  • fa3cfb2858fdab292d3059b143bd0620c97040e8
  • cdb5b7aed5580644eb845238774d7d6319b4c874
  • cc7611e98594b2d14236a265268b251170e9402c
  • 865d5aa59aaca4c886cd8747d3d6077a2955898a
  • 8dd6c87a01007e41ef82e4cbb402334d7ae08650
  • 2256b0f1b93889e65e187b965cdaa42416bcbd78

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.