Rewterz Threat Alert – Lazarus APT Group – Active IOCs
December 9, 2021Rewterz Threat Advisory – CVE-2021-20047 – SonicWall Global VPN Client
December 10, 2021Rewterz Threat Alert – Lazarus APT Group – Active IOCs
December 9, 2021Rewterz Threat Advisory – CVE-2021-20047 – SonicWall Global VPN Client
December 10, 2021Severity
High
Analysis Summary
Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports.
Impact
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- Adobedb[.]dat
- 1[.]rar
IP
- 101[.]36[.]125[.]203
MD5
- 65c5b85eb83651ba999b0e8a39731fe2
- 2d79767e4f6118afb9e86351be178b6d
SHA-256
- f647e7455b3e0f14266664b75e281875d5ff42b635d6d30b4eb16f849f47ae76
- fc8b2392b92860c7ca669d5274b65498ebd9c3992149cf6727d935c9d0fb48bb
SHA-1
- a66d7ec5165b831587865a035ee8b17d5cbcf258
- 74b269cdf488b09d06ac6b6e8c9c8e75254d642
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.