Rewterz Threat Alert – Bitter APT Group – Active IOCs
March 1, 2022Malware Analysis Report – Rewterz | LokiBot
March 2, 2022Rewterz Threat Alert – Bitter APT Group – Active IOCs
March 1, 2022Malware Analysis Report – Rewterz | LokiBot
March 2, 2022Severity
High
Analysis Summary
Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports
Mustang Panda, which although is a Chinese group, has also been taking advantage of the Russian-Ukrainian cyber warfare and used the situation to deploy a malware Ukraine.exe
Impact
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- Situation at the EU borders with Ukraine[.]zip
- eu adopts conclusions on eu priorities in un human rights fora in 2022[.]exe
- EU priorities in UN human rights fora in 2022[.]exe
IP
- 103[.]107[.]104[.]19
- 92[.]118[.]188[.]78
MD5
- 7b2f41b57b9ab4151eb37ed69db9fdf8
- 25a14e50486c738bc92da69c02063e23
- 50c750ddd7f79627f27e48a7dbafeec2
SHA-256
- 8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac
- effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1
- aa8fb15d63bd22b2ff15a9f1b4f4422b3c6af026915168c81d7bb38c9be2ab78
SHA-1
- 2f46a7ed5d7a303c0f25d5e4a18bcbf01ce9af26
- 22d80be7d7916763648a98a0afdb7c0c7e42b3d9
- 52ddd7483eeb8b096457178a7f9f2136af33e604
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.