Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
December 10, 2021Rewterz Threat Alert – Donot APT Group – Active IOCs
December 10, 2021Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
December 10, 2021Rewterz Threat Alert – Donot APT Group – Active IOCs
December 10, 2021Severity
High
Analysis Summary
Researchers have identified recent Mustang Panda activity that involves the use of Microsoft word doc to deliver PlugX. The initial infection vector is an downloadable doc from a phishing email. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. They’re targeting Germany and Russia for the Nord Stream 2 pipeline which was completed earlier in September and came under threat after Russia threaten to invade Ukraine after the alleged opposing of US and Ukraine. This ongoing conflict developed a serious situation when fierce words were exchanged by diplomatic missions for this event and USA has sanctioned Russian entities related to it, but not the company behind it, USA has tried to rebuild ties with Germany that deteriorated under Donald Trump’s administration.
Impact
- Information Theft and espionage
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- Nord Stream2[.] Two sides of the one coin[.]docx
- Global Forum on Cyber Expertise[.]docx
MD5
- 1ff24d73646d1958590e2bdba64f35de
- 216f2c0db84ab3bdabcb11b9af2cc024
SHA-256
- 309ba0a33ecf3e123bc3e539a5443b5b633a135c3fc44fd0941d520fee39afb1
- 60e9222f464cc99014a909ca4548cf38b20c7a5bbd80714dfd95ce89842be7db
SHA-1
- 0a93c2020c127d53f696036bf5295d622701dd94
- 71693b4b0cc9c091416be677c7fa7a3939a89af7
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.