Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries
January 31, 2019Rewterz Threat Alert – Malware Steals Cryptocurrency Wallets and Credit Card Credentials
February 6, 2019Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries
January 31, 2019Rewterz Threat Alert – Malware Steals Cryptocurrency Wallets and Credit Card Credentials
February 6, 2019SEVERITY: HIGH
CATEGORY: APT (Advanced Persistent Threat)
ANALYSIS SUMMARY
The group known as APT10 / Cloud Hopper hits victims in many different sectors, such as: information technology, finance, energy, healthcare and public health, communications, and critical manufacturing. The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group to steal a huge set of intellectual property and sensitive data of those MSSPs and their clients globally.
The campaign uses multiple malware families and variants, some of which are currently not detected by anti-virus signatures. Depending on the defensive mitigation in place, they may gain full access to networks and data in a way that appears legitimate to bypass detection. The campaign uses customized variants of Trojans and Malware that have been previously linked to Chinese espionage campaign.
INDICATORS OF COMPROMISE
IP(s) / Hostname(s)
- 103[.]208[.]86[.]129
- 107[.]181[.]160[.]109
- 109[.]237[.]108[.]150
- 109[.]237[.]108[.]202
- 109[.]237[.]111[.]175
- 109[.]248[.]222[.]85
- 110[.]10[.]176[.]181
- 151[.]101[.]100[.]73
- 151[.]236[.]20[.]16
- 158[.]255[.]208[.]170
- 158[.]255[.]208[.]189
- 158[.]255[.]208[.]61
- 160[.]202[.]163[.]78
- 160[.]202[.]163[.]79
- 160[.]202[.]163[.]82
- 160[.]202[.]163[.]90
- 160[.]202[.]163[.]91
- 162[.]243[.]6[.]98
- 183[.]134[.]11[.]84
- 185[.]117[.]88[.]77
- 185[.]117[.]88[.]78
- 185[.]117[.]88[.]81
- 185[.]117[.]88[.]82
- 185[.]133[.]40[.]63
- 185[.]14[.]185[.]189
- 185[.]141[.]25[.]33
- 211[.]110[.]17[.]209
- 31[.]184[.]198[.]23
- 31[.]184[.]198[.]38
- 61[.]97[.]241[.]239
- 81[.]176[.]239[.]56
- 86[.]106[.]102[.]3
- 92[.]242[.]144[.]2
- 95[.]183[.]52[.]57
- 95[.]47[.]156[.]86
- abc[.]wikaba[.]com
- ad[.]getfond[.]info
- additional[.]sexidude[.]com
- announcements[.]toythieves[.]com
- apple[.]cmdnetview[.]com
- apple[.]ikwb[.]com
- appledownload[.]ourhobby[.]com
- appleimages[.]itemdb[.]com
- appleimages[.]longmusic[.]com
- appleimages[.]organiccrap[.]com
- applemirror[.]organiccrap[.]com
- applemirror[.]squirly[.]info
- applemusic[.]isasecret[.]com
- applemusic[.]itemdb[.]com
- applemusic[.]wikaba[.]com
- applemusic[.]xxuz[.]com
- applemusic[.]zzux[.]com
- appleupdate[.]itemdb[.]com
- appleupdateurl[.]2waky[.]com
- asfzx[.]x24hr[.]com
- availab[.]wikaba[.]com
- availability[.]justdied[.]com
- babymusicsitetr[.]mymom[.]info
- back[.]jungleheart[.]com
- back[.]mofa[.]dynamic-dns[.]net
- bak[.]ignorelist[.]com
- bak[.]un[.]dnsrd[.]com
- balance1[.]wikaba[.]com
- barber[.]faqserv[.]com
- be[.]mrslove[.]com
- bexm[.]cleansite[.]biz
- bezu[.]itemdb[.]com
- billing[.]organiccrap[.]com
- blaaaaaaaaaaaa[.]windowsupdate[.]3-a[.]net
- brand[.]fartit[.]com
- bulletproof[.]squirly[.]info
- cdn[.]incloud-go[.]com
- center[.]shenajou[.]com
- cia[.]ezua[.]com
- civilwar123[.]authorizeddns[.]org
- civilwar520[.]onmypc[.]org
- cnnews[.]mylftv[.]com
- commissioner[.]shenajou[.]com
- commons[.]onedumb[.]com
- contactus[.]myddns[.]com
- contactus[.]onmypc[.]us
- contract[.]4mydomain[.]com
- contractus[.]qpoe[.]com
- contractus[.]zzux[.]com
- cress[.]mynetav[.]net
- ctldl[.]microsoftupdate[.]qhigh[.]com
- ctldl[.]windowsupdate[.]authorizeddns[.]us
- ctldl[.]windowsupdate[.]dnset[.]com
- ctldl[.]windowsupdate[.]ezua[.]com
- ctldl[.]windowsupdate[.]itsaol[.]com
- ctldl[.]windowsupdate[.]organiccrap[.]com
- ctldl[.]windowsupdate[.]x24hr[.]com
- cvnx[.]zyns[.]com
- dasonews[.]youdontcare[.]com
- daughter[.]vizvaz[.]com
- de[.]onmypc[.]info
- dec[.]seyesb[.]acmetoy[.]com
- details[.]squirly[.]info
- development[.]shenajou[.]com
- dick[.]ccfchrist[.]com
- digsby[.]ourhobby[.]com
- disruptive[.]https443[.]net
- document[.]shenajou[.]com
- download[.]windowsupdate[.]dedgesuite[.]net
- download[.]windowsupdate[.]dnset[.]com
- download[.]windowsupdate[.]itsaol[.]com
- download[.]windowsupdate[.]x24hr[.]com
- ea[.]onmypc[.]info edgar[.]ccfchrist[.]com
- ehshiroshima[.]mylftv[.]com
- eric-averyanov[.]wha[.]la
- eu[.]acmetoy[.]com
- eu[.]wha[.]la
- ewe[.]toshste[.]com
- fabian[.]ccfchrist[.]com
- fbi[.]sexxxy[.]biz file[.]zzux[.]com
- feed[.]jungleheart[.]com
- film[.]everydayfilmlink[.]com
- findme[.]epac[.]to
- fire[.]mrface[.]com
- firstnews[.]jkub[.]com
- flea[.]poulsenv[.]com
- foal[.]wchildress[.]com
- fr[.]wikaba[.]com
- freegamecenter[.]onedumb[.]com
- ftp[.]2014[.]zzux[.]com
- ftp[.]additional[.]sexidude[.]com
- ftp[.]announcements[.]toythieves[.]com
- ftp[.]appledownload[.]ourhobby[.]com
- ftp[.]appleimages[.]itemdb[.]com
- ftp[.]appleimages[.]longmusic[.]com
- ftp[.]appleimages[.]organiccrap[.]com
- ftp[.]applemirror[.]organiccrap[.]com
- ftp[.]applemirror[.]squirly[.]info
- ftp[.]applemusic[.]isasecret[.]com
- ftp[.]applemusic[.]itemdb[.]com
- ftp[.]applemusic[.]wikaba[.]com
- ftp[.]applemusic[.]xxuz[.]com
- ftp[.]applemusic[.]zzux[.]com
- ftp[.]appleupdate[.]itemdb[.]com
- ftp[.]asfzx[.]x24hr[.]com
- ftp[.]availab[.]wikaba[.]com
- ftp[.]availability[.]justdied[.]com
- ftp[.]back[.]jungleheart[.]com
- ftp[.]balance1[.]wikaba[.]com
- ftp[.]be[.]mrslove[.]com
- ftp[.]brand[.]fartit[.]com
- ftp[.]bulletproof[.]squirly[.]info
- ftp[.]civilwar123[.]authorizeddns[.]org
- ftp[.]civilwar520[.]onmypc[.]org
- ftp[.]cnnews[.]mylftv[.]com
- ftp[.]commons[.]onedumb[.]com
- ftp[.]contractus[.]qpoe[.]com
- ftp[.]de[.]onmypc[.]info
- ftp[.]details[.]squirly[.]info
- ftp[.]disruptive[.]https443[.]net
- ftp[.]ea[.]onmypc[.]info
- ftp[.]ehshiroshima[.]mylftv[.]com
- ftp[.]eric-averyanov[.]wha[.]la
- ftp[.]eu[.]acmetoy[.]com
- ftp[.]eu[.]wha[.]la
- ftp[.]fire[.]mrface[.]com
- ftp[.]fr[.]wikaba[.]com
- ftp[.]fuck[.]ikwb[.]com
- ftp[.]generat[.]almostmy[.]com
- ftp[.]hii[.]qhigh[.]com
- ftp[.]innocent-isayev[.]sexidude[.]com
- ftp[.]invoices[.]sexxxy[.]biz
- ftp[.]itlans[.]isasecret[.]com
- ftp[.]itunesdownload[.]jkub[.]com
- ftp[.]itunesdownload[.]wikaba[.]com
- ftp[.]itunesimages[.]itemdb[.]com
- ftp[.]itunesimages[.]itsaol[.]com
- ftp[.]itunesimages[.]qpoe[.]com
- ftp[.]itunesmirror[.]fartit[.]com
- ftp[.]itunesmirror[.]itsaol[.]com
- ftp[.]itunesmusic[.]ikwb[.]com
- ftp[.]itunesmusic[.]jetos[.]com
- ftp[.]itunesmusic[.]jkub[.]com
- ftp[.]itunesmusic[.]zzux[.]com
- ftp[.]itunesupdate[.]itsaol[.]com
- ftp[.]itunesupdates[.]organiccrap[.]com
- ftp[.]jimin[.]mymom[.]info
- ftp[.]key[.]zzux[.]com
- ftp[.]knowledge[.]sellclassics[.]com
- ftp[.]lan[.]dynssl[.]com
- ftp[.]latestnews[.]epac[.]to
- ftp[.]latestnews[.]organiccrap[.]com
- ftp[.]macfee[.]mrface[.]com
- ftp[.]maffc[.]mrface[.]com
- ftp[.]malware[.]dsmtp[.]com
- ftp[.]mason[.]vizvaz[.]com
- ftp[.]mediapath[.]organiccrap[.]com
- ftp[.]Microsoft[.]got-game[.]org
- ftp[.]microsoft[.]mrface[.]com
- ftp[.]microsoftimages[.]organiccrap[.]com
- ftp[.]microsoftmusic[.]mrbasic[.]com
- ftp[.]microsoftqckmanager[.]pcanywhere[.]net
- ftp[.]microsoftupdate[.]mrbasic[.]com
- ftp[.]microsoftupdate[.]qhigh[.]com
- ftp[.]mmy[.]ddns[.]us
- ftp[.]mod[.]jetos[.]com
- ftp[.]mofa[.]dynamic-dns[.]net
- ftp[.]mofa[.]ns01[.]info
- ftp[.]moscowdic[.]trickip[.]org
- ftp[.]musicfile[.]ikwb[.]com
- ftp[.]na[.]americanunfinished[.]com
- ftp[.]newsdata[.]jkub[.]com
- ftp[.]no[.]authorizeddns[.]org
- ftp[.]nt[.]mynumber[.]org
- ftp[.]nz[.]compress[.]to
- ftp[.]ol[.]almostmy[.]com
- ftp[.]oracleupdate[.]dns04[.]com
- ftp[.]portal[.]mrface[.]com
- ftp[.]portal[.]sendsmtp[.]com
- ftp[.]portalser[.]dynamic-dns[.]net
- ftp[.]praskovya-matveyeva[.]mefound[.]com
- ftp[.]praskovya-ulyanova[.]dumb1[.]com
- ftp[.]products[.]almostmy[.]com
- ftp[.]products[.]cleansite[.]us
- ftp[.]products[.]serveuser[.]com
- ftp[.]purchase[.]lflinkup[.]org
- ftp[.]recent[.]dns-stuff[.]com
- ftp[.]recent[.]fartit[.]com
- ftp[.]referred[.]gr8domain[.]biz
- ftp[.]referred[.]yourtrap[.]com
- ftp[.]register[.]ourhobby[.]com
- ftp[.]registration2[.]instanthq[.]com
- ftp[.]registrations[.]4pu[.]com
- ftp[.]registrations[.]organiccrap[.]com
- ftp[.]remeberdata[.]iownyour[.]org
- ftp[.]reserveds[.]onedumb[.]com
- ftp[.]rethem[.]almostmy[.]com
- ftp[.]sdmsg[.]onmypc[.]org
- ftp[.]se[.]toythieves[.]com
- ftp[.]senseye[.]ikwb[.]com
- ftp[.]septdlluckysystem[.]jungleheart[.]com
- ftp[.]seraphim-yurieva[.]justdied[.]com
- ftp[.]serv[.]justdied[.]com
- ftp[.]server1[.]proxydns[.]com
- ftp[.]seyesb[.]acmetoy[.]com
- ftp[.]shugiin[.]jkub[.]com
- ftp[.]sstday[.]jkub[.]com
- ftp[.]support1[.]mrface[.]com
- ftp[.]svc[.]dynssl[.]com
- ftp[.]synssl[.]dnset[.]com
- ftp[.]tamraj[.]fartit[.]com
- ftp[.]ticket[.]instanthq[.]com
- ftp[.]tophost[.]dynamicdns[.]co[.]uk
- ftp[.]transfer[.]lflinkup[.]org
- ftp[.]transfer[.]vizvaz[.]com
- ftp[.]ugreen[.]itemdb[.]com
- ftp[.]uk[.]dynamicdns[.]org[.]uk
- ftp[.]un[.]ddns[.]info
- ftp[.]un[.]dnsrd[.]com
- ftp[.]usa[.]itsaol[.]com
- ftp[.]well[.]itsaol[.]com
- ftp[.]windowfile[.]itemdb[.]com
- ftp[.]windowsimages[.]itemdb[.]com
- ftp[.]windowsmirrors[.]vizvaz[.]com
- ftp[.]windowsupdate[.]2waky[.]com
- ftp[.]windowsupdate[.]3-a[.]net
- ftp[.]windowsupdate[.]authorizeddns[.]us
- ftp[.]windowsupdate[.]dns05[.]com
- ftp[.]windowsupdate[.]esmtp[.]biz
- ftp[.]windowsupdate[.]ezua[.]com
- ftp[.]windowsupdate[.]fartit[.]com
- ftp[.]windowsupdate[.]gettrials[.]com
- ftp[.]windowsupdate[.]instanthq[.]com
- ftp[.]windowsupdate[.]jungleheart[.]com
- ftp[.]windowsupdate[.]lflink[.]com
- ftp[.]windowsupdate[.]mrface[.]com
- ftp[.]windowsupdate[.]mylftv[.]com
- ftp[.]windowsupdate[.]rebatesrule[.]net
- ftp[.]windowsupdate[.]sellclassics[.]com
- ftp[.]windowsupdate[.]serveusers[.]com
- ftp[.]yandexr[.]sellclassics[.]com
- fukuoka[.]cloud-maste[.]com
- gavin[.]ccfchrist[.]com
- generat[.]almostmy[.]com
- gifuonlineshopping[.]mynumber[.]org
- glicense[.]shenajou[.]com
- globalnews[.]wikaba[.]com
- grammar[.]jkub[.]com
- helpus[.]ddns[.]info
- hii[.]qhigh[.]com
- home[.]trickip[.]org
- hukuoka[.]cloud-maste[.]com
- ibmmsg[.]strangled[.]net
- imitate[.]faqserv[.]com
- incloud-obert[.]com
- innocent-isayev[.]sexidude[.]com
- innov-tec[.]com[.]ua
- interpreter[.]shenajou[.]com
- invoices[.]sexxxy[.]biz
- iphone[.]vizvaz[.]com
- ipv4[.]microsoftupdate[.]mrbasic[.]com
- ipv4[.]windowsupdate[.]3-a[.]net
- ipv4[.]windowsupdate[.]dnset[.]com
- ipv4[.]windowsupdate[.]ezua[.]com
- ipv4[.]windowsupdate[.]itsaol[.]com
- ipv4[.]windowsupdate[.]lflink[.]com
- ipv4[.]windowsupdate[.]mylftv[.]com
- ipv4[.]windowsupdate[.]x24hr[.]com
- itlans[.]isasecret[.]com
- itunesdownload[.]jkub[.]com
- itunesdownload[.]vizvaz[.]com
- itunesdownload[.]wikaba[.]com
- itunesimages[.]itemdb[.]com
- itunesimages[.]itsaol[.]com
- itunesimages[.]qpoe[.]com
- itunesmirror[.]fartit[.]com
- itunesmirror[.]itsaol[.]com
- itunesmusic[.]ikwb[.]com
- itunesmusic[.]jetos[.]com
- itunesmusic[.]jkub[.]com
- itunesmusic[.]zzux[.]com
- itunesupdate[.]itsaol[.]com
- itunesupdates[.]organiccrap[.]com
- james[.]tffghelth[.]com
- jcie[.]mofa[.]ns01[.]info
- jimin[.]mymom[.]info
- jp[.]rakutenmusic[.]com
- jpnewslogs[.]sendsmtp[.]com
- jpstarmarket[.]serveusers[.]com
- Kawasaki[.]unhamj[.]com
- kennedy[.]tffghelth[.]com
- key[.]zzux[.]com
- kikimusic[.]sellclassics[.]com
- kmd[.]crabdance[.]com
- knowledge[.]sellclassics[.]com
- kxsbwappupdate[.]dhcp[.]biz
- kztmusiclnk[.]dnsrd[.]com
- lan[.]dynssl[.]com
- latestnews[.]epac[.]to
- latestnews[.]organiccrap[.]com
- lennon[.]fftpoor[.]com
- license[.]shenajou[.]com
- lion[.]wchildress[.]com
- lizard[.]poulsenv[.]com
- macfee[.]mrface[.]com
- machine[.]ddns[.]ms
- maffc[.]mrface[.]com
- mailowl[.]jkub[.]com
- Malcolm[.]fftpoor[.]com
- malware[.]dsmtp[.]com
- mason[.]vizvaz[.]com
- mediapath[.]organiccrap[.]com
- microhome[.]wikaba[.]com
- Microsoft[.]got-game[.]org
- Microsoft[.]mrface[.]com
- microsoftempowering[.]sendsmtp[.]com
- microsoftgetstarted[.]sexidude[.]com
- microsoftimages[.]organiccrap[.]com
- microsoftmirror[.]mrbasic[.]com
- microsoftmusic[.]itemdb[.]com
- microsoftmusic[.]mrbasic[.]com
- microsoftqckmanager[.]pcanywhere[.]net
- microsoftstores[.]itemdb[.]com
- microsoftupdate[.]mrbasic[.]com
- microsoftupdate[.]qhigh[.]com
- micrsoftware[.]dsmtp[.]com
- mmy[.]ddns[.]us
- mobile[.]2waky[.]com
- mod[.]jetos[.]com
- mofa[.]dynamic-dns[.]net
- mofa[.]ns01[.]info
- moonnightthse[.]zyns[.]com
- moscowdic[.]trickip[.]org
- moscowstdsupdate[.]toythieves[.]com
- mrsloveaqx[.]mrslove[.]com
- ms[.]ecc[.]u-tokyo-ac-jp[.]com
- mseupdate[.]ourhobby[.]com
- msg[.]ezua[.]com
- msn[.]incloud-go[.]com
- music[.]cleansite[.]us
- musicfile[.]ikwb[.]com
- musiclinker[.]jkub[.]com
- mx[.]yetrula[.]eu
- mytwhomeinst[.]sendsmtp[.]com
- na[.]americanunfinished[.]com
- networkjpnzee[.]mynetav[.]org
- newcityoforward[.]rebatesrule[.]net
- newsdata[.]jkub[.]com
- newsfile[.]toythieves[.]com
- newsreport[.]justdied[.]com
- newtime[.]ezua[.]com
- nezwq[.]ezua[.]com
- nmrx[.]mrbonus[.]com
- no[.]authorizeddns[.]org
- nsa[.]mefound[.]com
- nt[.]mynumber[.]org
- nttdata[.]otzo[.]com
- nuisance[.]serveusers[.]com
- nz[.]compress[.]to
- ol[.]almostmy[.]com
- onlinednsserver[.]sendsmtp[.]com
- oracleupdate[.]dns04[.]com
- outlook[.]sindeali[.]com
- owlmedia[.]mefound[.]com
- peopleinfodata[.]3-a[.]net
- pepper[.]sexxxy[.]biz
- portal[.]mrface[.]com
- portal[.]sendsmtp[.]com
- portalser[.]dynamic-dns[.]net
- praskovya-matveyeva[.]mefound[.]com
- praskovya-ulyanova[.]dumb1[.]com
- products[.]almostmy[.]com
- products[.]cleansite[.]us
- products[.]serveuser[.]com
- program[.]acmetoy[.]com
- purchase[.]lflinkup[.]org
- rain[.]orctldl[.]windowsupdate[.]authorizeddns[.]us
- read[.]xxuz[.]com
- recent[.]dns-stuff[.]com
- recent[.]fartit[.]com
- redflower[.]isasecret[.]com
- referred[.]gr8domain[.]biz
- referred[.]yourtrap[.]com
- register[.]ourhobby[.]com
- registration2[.]instanthq[.]com
- registrations[.]4pu[.]com
- registrations[.]organiccrap[.]com
- remeberdata[.]iownyour[.]org
- reserveds[.]onedumb[.]com
- rethem[.]almostmy[.]com
- sakai[.]unhamj[.]com
- sappore[.]cloud-maste[.]com
- sc[.]weboot[.]info
- scorpion[.]poulsenv[.]com
- sdmsg[.]onmypc[.]org
- se[.]toythieves[.]com
- secertnews[.]mrbasic[.]com
- send[.]mofa[.]ns01[.]info
- sendmsg[.]jumpingcrab[.]com
- senseye[.]ikwb[.]com
- septdlluckysystem[.]jungleheart[.]com
- seraphim-yurieva[.]justdied[.]com
- serv[.]justdied[.]com
- server1[.]proxydns[.]com
- seyesb[.]acmetoy[.]com
- shrimp[.]bdoncloud[.]com
- shugiin[.]jkub[.]com
- singed[.]otzo[.]com
- sojourner[.]mypicture[.]info
- sstday[.]jkub[.]com
- stone[.]jumpingcrab[.]com
- style[.]u-tokyo-ac-jp[.]com
- support1[.]mrface[.]com
- svc[.]dynssl[.]com
- synssl[.]dnset[.]com
- taipeifoodsite[.]ocry[.]com
- tamraj[.]fartit[.]com
- tfa[.]longmusic[.]com
- ticket[.]instanthq[.]com
- tophost[.]dynamicdns[.]co[.]uk
- transfer[.]lflinkup[.]org
- transfer[.]vizvaz[.]com
- travelyokogawafz[.]fartit[.]com
- trout[.]belowto[.]com
- twmusic[.]proxydns[.]com
- twpeoplemusicsite[.]my03[.]com
- twsslpopservupro[.]dynssl[.]com
- twtravelinfomation[.]toythieves[.]com
- twx[.]mynumber[.]org
- ugreen[.]itemdb[.]com
- uk[.]dynamicdns[.]org[.]uk
- ukuoka[.]cloud-maste[.]com
- ultimedia[.]vmmini[.]com
- un[.]ddns[.]info
- un[.]dnsrd[.]com
- updates[.]itsaol[.]com
- usa[.]itsaol[.]com
- usiness[.]vmmini[.]com
- usliveupdateonline[.]ygto[.]com
- ut-portal-u-tokyo-ac-jp[.]tyoto-go-jp[.]com
- v4[.]microsoftupdate[.]mrbasic[.]com
- v4[.]windowsupdate[.]dedgesuite[.]net
- v4[.]windowsupdate[.]dnset[.]com
- v4[.]windowsupdate[.]itsaol[.]com
- v4[.]windowsupdate[.]x24hr[.]com
- wcxh[.]mynetav[.]net
- well[.]itsaol[.]com
- whale[.]toshste[.]com
- windowfile[.]itemdb[.]com
- windowsimages[.]itemdb[.]com
- windowsmirrors[.]vizvaz[.]com
- windowsupdate[.]2waky[.]com
- windowsupdate[.]3-a[.]net
- windowsupdate[.]acmetoy[.]com
- windowsupdate[.]authorizeddns[.]net
- windowsupdate[.]authorizeddns[.]org
- windowsupdate[.]authorizeddns[.]us
- windowsupdate[.]dedgesuite[.]net
- windowsupdate[.]dns05[.]com
- windowsupdate[.]dnset[.]com
- windowsupdate[.]esmtp[.]biz
- windowsupdate[.]ezua[.]com
- windowsupdate[.]fartit[.]com
- windowsupdate[.]gettrials[.]com
- windowsupdate[.]instanthq[.]com
- windowsupdate[.]itsaol[.]com
- windowsupdate[.]jungleheart[.]com
- windowsupdate[.]lflink[.]com
- windowsupdate[.]mrface[.]com
- windowsupdate[.]mylftv[.]com
- windowsupdate[.]organiccrap[.]com
- windowsupdate[.]rebatesrule[.]net
- windowsupdate[.]sellclassics[.]com
- windowsupdate[.]serveusers[.]com
- windowsupdate[.]wcwname[.]com
- windowsupdate[.]x24hr[.]com
- windowsupdates[.]itemdb[.]com
- yahoo[.]incloud-go[.]com
- yandexr[.]sellclassics[.]com
- yfrfyhf[.]youdontcare[.]com
- yokohamajpinstaz[.]mrbonus[.]com
- zebra[.]bdoncloud[.]com
- zebra[.]incloud-go[.]com
- zero[.]pcanywhere[.]net
URLs
- catholicmmb[.]com
- cloud-kingl[.]com
- cwiinatonal[.]com
- jica-go-jp[.]bike
- jica-go-jp[.]biz
- jimin-jp[.]biz
- meiji-ac-jp[.]com
- mofa-go-jp[.]com
- salvaiona[.]com
Filename
- mtcReport[.]ktc
- libvlc[.]dll
- VeetlePlayer[.]exe
Malware Hash (MD5/SHA1/SH256)
- 009b639441ad5c1260f55afde2d5d21fc5b4f96c
- 01edb82de7b9666eaa5d2791a14092f2e73d2795
- 02e702af02a6b9a8b31cd470c18e383093ef4ed404811b414d6d131df01f9acd
- 06b0af6ff00647f57119d8a261829f73
- 0876f0cb9d03bc5539b242a374976b217095ec0d
- 0b05143e2e4b56dbf5ef7a58b5013bc3
- 0c0a39e1cab4fc9896bdf5ef3c96a716
- 0f6b00b0c5a26a5aa8942ae356329945
- 19417f7551bc54db6783823325557773
- 19610f0d343657f6842d2045e8818f09
- 19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b
- 1b891bc2e5038615efafabe48920f200
- 1df29c63c917b089fe0fc099e2783c0c679892e5
- 1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
- 23d03ee4bf57de7087055b230dae7c5b
- 2a07420c768fa49c05327741e0709c3ac5a71a06
- 2c1b42e8c8acea5082275b6ea5f5c64ebaf4fa30
- 2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910
- 2d5c5e210c7db4ba6012bd761154db0d1f5cd658
- 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c
- 312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3
- 316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d
- 3afa9243b3aeb534e02426569d85e517
- 3cbb5664d70bbe62f19ee28f26f21d7e
- 3cfb1bf0063ea9d893f9e95c11e223cc06299337
- 3ebbfeee3a832c92bb60b531f749230e
- 4132068417bcbffec16ac655a14f29aa74189fcb
- 42d5c9c4c02e6d5c88ec0acce72327389a92f0d7
- 4521a74337a8b454f9b80c7d9e57b4c9580567f84e513d9a3ce763275c55e691
- 45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2
- 472b1710794d5c420b9d921c484ca9e8
- 4cc0adf4baa1e3932d74282affb1a137b30820934ad4f80daceec712ba2bbe14
- 5412cddde0a2f2d78ec9de0f9a02ac2b22882543c9f15724ebe14b3a0bf8cbda
- 56126b1c19c1121c0f5065204ef5cc4633079b98
- 56d6c3ffa4f3d5ae742f937fae85f0995814cf90
- 5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1
- 598ff82ea4fb52717acafb227c83d474 5a78974df88ab6a67bb72a5c7a437fb2
- 5b045d98606f000a236b1bd4ac4c9e482b3f5475
- 61df36789f7d2314c79a41be512300d7c84131bb 6235e5a45fa51a10826ced8e90adcf93
- 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
- 6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e
- 667989ffa5e77943f3384e78adf93510
- 68e3f80012a78518ddbde055b5e42dd4d82e58e5
- 6bc2558eb8915edc19835d9e734023a2368f876971f5580478782c7444f9581c
- 6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586
- 6ec0f91b5b74bc06ebb561cdeb0f4796
- 6edd9bb17a999b5f5abcf123a2701e4ea4ada9a2
- 6fccfa1559a64edff571d6042abd8a59
- 741e955a9e458a70b5c085b3bfba800fdfb4ccde
- 75500bb4143a052795ec7d2e61ac3261
- 76721d08b83aae945aa00fe69319f896b92c456def4df5b203357cf443074c03
- 7891f00dcab0e4a2f928422062e94213
- 79f61eda72c41b5ec526a3d5a1a91f86f0bc0eca470e07ab50d9626231143f11
- 7cace2e51e8ecc5ddb9720a8dc9e1f3596fe343b
- 7cb04a4b86d998604341bc2b610a0a556830993d
- 7d10708a518b26cc8c3cbfbaa224e032
- 7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04
- 7fe6c8191749767254513b03da03cfbf6dd6c139
- 80dfcb6ec50f381f153ade2866f18d4b
- 81ba8a1a9e26950c52580f5b046dbe1c8b6f6868
- 81df89d6fa0b26cadd4e50ef5350f341
- 83d419bc812d08c9d09baa49a4313a81eda54702
- 850a7e877d8e68188714ff5344f6fc15
- 86cea2cb7510a6031d44b8472d806ae2205f438f
- 8a93859e5f7079d6746832a3a22ff65c
- 8ece7de82e1bdd4659a122c06ea9533e
- 9188923fcfca6bda9e13ec2efeb3b4ccc5f560cc
- 92dbbe0eff3fe0082c3485b99e6a949d9c3747afa493a0a1e336829a7c1faafb
- 95ab56ab1f0d4f010569ead7915fbc833a36cd73
- 9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c
- 9ae3b326cf716fbccbecfd292846a3a9
- 9c2f3bbfbb1cdfe30ef0aad88d461daf
- 9e0b78aacf4871cddc0468d517f928970fd54c8d
- 9f01dd2b19a1032e848619428dd46bfeb6772be2e78b33723d2fa076f1320c57
- a6284ed7e11fdffa6b187c0fefafa421e0f56318
- a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
- a7d0b38bda630c927820380d311ddc70a9606407
- a82a59fd073c3c868be93f52d09203e93e87d79a
- a91669bb4dcb713e997ddf98417730de78cb990a
- a954a3f20ef8065d98d9e3a3c5ae254e27c63bf6
- aaa19e15cfe66a105428048f3242889afae170dd
- aaec782a5256150c88b75c912bf4d091cf0c32e9
- aaee7385b2c836e9d3e14812807f911c2144a894
- ad879f64e9137836283592720d95aadb
- ae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145
- aee17dbab01ed334bb94506fcbc2ed259242159e
- af406d35c77b1e0df17f839e36bce630
- af9dde68c73d69ea535103e963f09587b6aa020081bbce06347de05fa469c257
- b0649c1f7fb15796805ca983fd8f95a3
- b1043250c499ccf0ad56a688ccce662f42386869
- b20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df
- b966657d35bba9416775d320bb87086001995bbe
- bb269704ba8647da97377440d403ae4d
- bc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91
- bd4110fdaa3c99c09ad4883085ddd62b6f9f9bd7
- c0c8dcc9dad39da8278bf8956e30a3fc
- c1cb28327d3364768d1c1e4ce0d9bc07
- c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d
- c6b8ed157eed54958da73716f8db253ba5124a0e4b649f08de060c4aa6531afc
- c793c4e63fe61140dc92749a38e63820776548a3
- ca119725c2cef7baad0690d82b770c25ff64c7e7f1fc9e0e65c91d20151cd204
- ca9644ef0f7ed355a842f6e2d4511546
- cb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628
- d1bab4a30f2889ad392d17573302f097
- d316848ce47c098ccfe72aa7311aaffa
- da3cb3ade7f129838ff3c816b223859d91d377b6
- db212129be94fe77362751c557d0e893
- dbb867c2250b5be4e67d1977fcf721fb
- dcff19fc193f1ba63c5dc6f91f00070e6912dcec3868e889fed37102698b554b
- dd0494eb1ab29e577354fca895bec92a
- de5af856804974ba3df03928fff03447e8f4c9c2
- df8f49a3fdf8a9d550b22d65d21a8006ff593ac4
- e418387dd296e00aea9141c8c4b73690495640a0
- e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e
- e88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0
- e975d5b29d988929e5ad3a8fa19083d1
- f03f70d331c6564aec8931f481949188
- f1ca9998ca9078c27a6dab286dfe25fcdfb1ad734cc2af390bdcb97da1214563
- f251485a62e104dfd8629dc4d2dfd572ebd0ab554602d682a28682876a47e773
- f50460d3ddcc9628d0e86de1aa292895
- f5744d72c6919f994ff452b0e758ffee
- f586edd88023f49bc4f9d84f9fb6bd7d
- fa89eeaac3c9de18aee8c58b6580dfea
- fadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0
- fb4e516e1e2a369d1cdfb208ee885cb4848bed707a0514367f464c8e7519cb50
- fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
- fd6a956a7708708cddff78c8505c7db73d7c4e961da8a3c00cc5a51171a92b7b
- ff0b79ed5ca3a5e1a9dabf8e47b15366c1d0783d0396af2cbba8e253020dbb34
Remediation
Block the threat indicators at their respective controls. Keep systems up-to-date that are patched against all known vulnerabilities.
Researchers also suggest to conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.
Implement an Intrusion Detection System (IDS) to ensure continuous monitoring, sending alerts to a SIEM tool and monitoring internal activity.