Rewterz Threat Alert – LokiBot Malware – Active IOCs
November 22, 2022Rewterz Threat Alert – World Cup Phishing Email Campaigns Spike In Arab Countries – Active IOCs
November 23, 2022Rewterz Threat Alert – LokiBot Malware – Active IOCs
November 22, 2022Rewterz Threat Alert – World Cup Phishing Email Campaigns Spike In Arab Countries – Active IOCs
November 23, 2022Severity
High
Analysis Summary
MustangPanda, aka Bronze President and TA416, has been active since at least 2012. This threat actor targeted government agencies, think tanks, NGOs, and even Vatican-affiliated religious institutions in the United States and Europe. Asian countries, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar, were the main focus of the past campaigns. The group is notorious for creating phishing lures based on current events that might interest its target, for example, Covid-19 pandemic, political subjects, and most trending issues like Russian-Ukrainian cyber warfare.
The Trojan application PlugX has been the most popular malicious implant utilized by Mustang Panda and is still the preferred spying weapon for the group. The recent Mustang Panda activity involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports.
Recently, threat actors are using legitimate Microsoft Suite Integration Toolkit Executable to side load the PlugX payload.
Impact
- Information Theft
- Exposure To Sensitive Data
Indicators of Compromise
IP
- 98.142.251.29
MD5
865d2582e7ae2a13f363ab5cdb60da9c
8251d2c698028db64583971760c7f3f0
SHA-256
16aa2ab689a197c1a06ed240cbfedeae6cc3fdee855593fe9aeb4ac3860a0437
bac0c2083011a1857d4c5d872f598bd78193bb7c4e309f14d0d6e075a11a8537
SHA-1
91f85682756ca0a6ed790b8edcd436a39606c77f
9d63eb801cef5eb85a9ecff681ef1ebc0c6f405f
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.