Rewterz Threat Alert – Emotet – Active IOCs
November 25, 2021Rewterz Threat Alert – New JavaScript Malware Loader infects Rats on Windows PCs – Active IOCs
November 25, 2021Rewterz Threat Alert – Emotet – Active IOCs
November 25, 2021Rewterz Threat Alert – New JavaScript Malware Loader infects Rats on Windows PCs – Active IOCs
November 25, 2021Severity
Medium
Analysis Summary
APT C-23 also known as AridViper and Desert Falcon is active in middle east region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps. The ongoing campaign is targeting Middle Eastern Country Sudan with the disguised document impersonating the embassy in Sudan’s capital Khartoum and asking for a diplomatic permission to land two military aircrafts (C-130 + C-17) and a permit which should be valid for 72 hours. The timing of these documents are really critical as there’s ongoing activity in the Middle Eastern Region regarding the policy making and ties with the other countries.
The decoy documents looks like an attempt to sabotage the process of diplomatic talks going on between Middle eastern countries.
This is relevant to the ongoing spying campaign already active in the middle east via Android Mobile apps which confers resistance to takedowns and manual removal as well. The spyware are in the form of apps that includes App Updates, System Apps Updates, or Android Update Intelligence, which are being sent to the users in the form of text messages and after installations in asks for specific permissions which includes access media apps and other files app in your phone.
Impact
- Information theft and espionage
- Data exfiltration
Indicators of Compromise
Filename
- rar[.]ملف التدريب والتجنيس الجديد المتعلق بالمنتسبين الجدد
MD5
- ffc97a79f87dbc48b2230566b7af189f
- ed11daeb1f49f9dc73c3ff72c92416b4
- bb791edaf5cba30d59f70c1e2e8c6672
- fe4a7e55e17aba385a477bea2c6ef837
- 73062a456903a4d12ba64423e0071dd0
- 117f9b3baa5349afb60377421d53cfef
- 29ad37ab4e5e78f34ae8232f93d5bfa2
- 2a37ab6e3ba450fdc2b27328f52f0226
SHA-256
- e00179c7bc76f90864f32275de183f76730cd4a99173c0b6fd6504afa02c8d55
- db511ead013e21f51303dd4f6a856418f88d72a7f95c0b2ace0c3ba80866bdf6
- c054f6597665fccd18751a88d15488657ff19a286dbd4aac7ecb773b0df60c4d
- 57bc6b95ecea7e0ca34174f1190de1e9664408311c973866b853d24f41b0e760
- 57afc0eac8b23d955b75585d5ca7b086a7e17df94b9cb276847ec1c5fe6b6c1a
- 56becf7125a1596e30f80befb986ae96e18da5be40cc3f78ac0c35ae7a4e17ae
- 33f79a64fee300f60541a96e2b0c4bcec3aac6f717dff52baa9da7ed803ed6f3
- c8103ef05c45313100802128e8856713e08bda283af796002e139d3ae78bee15
SHA-1
- e5abf9f727c4b557f7450cfaccc907f35074fd2d
- 5df9d696f1bd2ee560a2c97ca07a6bc22a9a8518
- fa3cfb2858fdab292d3059b143bd0620c97040e8
- cdb5b7aed5580644eb845238774d7d6319b4c874
- cc7611e98594b2d14236a265268b251170e9402c
- 865d5aa59aaca4c886cd8747d3d6077a2955898a
- 8dd6c87a01007e41ef82e4cbb402334d7ae08650
- 2256b0f1b93889e65e187b965cdaa42416bcbd78
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders