Rewterz Threat Advisory – CVE-2021-45232 – Apache APISIX Dashboard
December 28, 2021Rewterz Threat Alert – APT MustangPanda Targeting Germany – Active IOCs
December 28, 2021Rewterz Threat Advisory – CVE-2021-45232 – Apache APISIX Dashboard
December 28, 2021Rewterz Threat Alert – APT MustangPanda Targeting Germany – Active IOCs
December 28, 2021Severity
High
Analysis Summary
APT C-23 also known as AridViper and Desert Falcon is active in the region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps.
A new sample also seems to be used by APT-C-23. Once it gets executed, a document relating to What does profit from the internet means? is shown to confuse the victim and meanwhile RAT is executed to perform remote control
This is relevant to the ongoing spying campaign already active in the middle east via Android Mobile apps which confers resistance to takedowns and manual removal as well. The spyware are in the form of apps that includes App Updates, System Apps Updates, or Android Update Intelligence, which are being sent to the users in the form of text messages and after installations in asks for specific permissions which includes access media apps and other files app in your phone.
Impact
- Unauthorized access of victim’s machine
- Information theft and espionage
- Exposure of sensitive data
Indicators of Compromise
Filename
- Profit from the Internet[.]docx
MD5
- 79f706153bad3fd0f623932c522bfab3
- 186a18e2082e42f92d8f4dc7f219d88f
SHA-256
- e6108b5063488f843edae658d362ec7ca2b0ee31f0b65275ff9d19d3ed44888f
- 3ce7329244986d8484cdd5168aa8b7165147899b298124d749680dd04eca58ca
SHA-1
- 48a18fb4cb71ca968d8b6ec5d164bb36c831a2e3
- 0909e7f0ea3408f47bb7cc257877a790754da894
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.