• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Lapsus$ Ransomware Group Stole Samsung’s Data
March 10, 2022
Rewterz Threat Advisory – IBM Guardium Data And DataPower Gateway Vulnerabilities
March 11, 2022

Rewterz Threat Alert – APT Group GhostWriter/UNC1151 Targeting Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare

March 10, 2022

Severity

High

Analysis Summary

GhostWriter, a cyber espionage campaign targeting audiences in Poland, Latvia, and Lithuania, has now been linked to UNC1151. The campaign started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.

Impact

  • Information Theft and Espionage

Indicators of Compromise

Domain Name

  • tvasahi[.]online
  • meta-ua[.]space
  • creditals-email[.]space
  • verify-mail[.]space
  • verify-email[.]space
  • bigmir[.]space
  • mil-gov[.]space
  • mirrohost[.]space
  • ua-passport[.]space
  • konto-verify[.]space
  • weryfikacja-konta[.]space
  • walidacja-uzytkownika[.]space
  • weryfikacja-poczty[.]space
  • akademia-mil[.]space
  • kontrola-poczty[.]space
  • walidacja-poczty[.]space
  • ron-mil[.]space
  • creditals-mirohost[.]space
  • kontrola-poczty[.]site
  • mirohost[.]online
  • mirohost[.]site
  • mod-mil[.]online
  • mod-mil[.]site

Filename

  • Operativna_informacia[.]chm
  • paggingfile[.]dll
  • Network access center[.]lnk
  • droplet[.]vbs
  • desktop[.]ini

MD5

  • 98905083d8e1701731f998bcde4cea58
  • d7e5b7119f8b17a4aa4a3544eceaf8c4
  • 75ca758eb0429fbcdb78d76566ad2ae7
  • 308a239e5ae12e15d21dccb98a490e31
  • cc859282c0541d0d1feb37c7d7a2a4cf

SHA-256

  • d723b6fbbdc27ad82794e9423187fff4a4f4ced69bfe175f75800863ffedfb70
  • 9390bae396f6cb8b4be9b695f5dda2f8407c3b8c1b15b73cbc8571b921661a7b
  • 0d1ea78cb2a3c1af8529a520c3bfc1f4121bfcc060b99e71c7c394934c4333e5
  • a81651d5c1a3757bce7ccff44b8c40d054608fe6d3c77c56f9fa9464750cf721
  • 6ded2617e028c5389a1faca6c3c4291efdf50b76b0b8bda1f0fc682851632c7a

SHA-1

  • e62964354a1909b655342a48b2ee10ece820be1d
  • 3607d24ce780952f40e7862a7e6516d8581090ca
  • 31fbb8dd4ee535dec4d911e443751d7786c013e1
  • 4b43956757c69017b372eb1dfb48e445c93129d9
  • 7c94ee9a89c51d84b695e6e43a30af266eab8e33

Remediation

  • Block all threat indicators at your respective control.
  • Serch for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.