• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries
January 31, 2019
Rewterz Threat Alert – Malware Steals Cryptocurrency Wallets and Credit Card Credentials
February 6, 2019

Rewterz Threat Alert – APT10 Group Targets Multiple Sectors in Multiple Countries, Including Finance, IT and Energy sectors

February 1, 2019

SEVERITY: HIGH

 

 

CATEGORY: APT (Advanced Persistent Threat)

 

 

ANALYSIS SUMMARY

 

 

The group known as APT10 / Cloud Hopper hits victims in many different sectors, such as: information technology, finance, energy, healthcare and public health, communications, and critical manufacturing. The espionage campaign has targeted managed IT service providers (MSSPs), allowing the APT10 group to steal a huge set of intellectual property and sensitive data of those MSSPs and their clients globally.

 

 

The campaign uses multiple malware families and variants, some of which are currently not detected by anti-virus signatures. Depending on the defensive mitigation in place, they may gain full access to networks and data in a way that appears legitimate to bypass detection. The campaign uses customized variants of Trojans and Malware that have been previously linked to Chinese espionage campaign.

 

 

INDICATORS OF COMPROMISE

 

IP(s) / Hostname(s)

  • 103[.]208[.]86[.]129
  • 107[.]181[.]160[.]109
  • 109[.]237[.]108[.]150
  • 109[.]237[.]108[.]202
  • 109[.]237[.]111[.]175
  • 109[.]248[.]222[.]85
  • 110[.]10[.]176[.]181
  • 151[.]101[.]100[.]73
  • 151[.]236[.]20[.]16
  • 158[.]255[.]208[.]170
  • 158[.]255[.]208[.]189
  • 158[.]255[.]208[.]61
  • 160[.]202[.]163[.]78
  • 160[.]202[.]163[.]79
  • 160[.]202[.]163[.]82
  • 160[.]202[.]163[.]90
  • 160[.]202[.]163[.]91
  • 162[.]243[.]6[.]98
  • 183[.]134[.]11[.]84
  • 185[.]117[.]88[.]77
  • 185[.]117[.]88[.]78
  • 185[.]117[.]88[.]81
  • 185[.]117[.]88[.]82
  • 185[.]133[.]40[.]63
  • 185[.]14[.]185[.]189
  • 185[.]141[.]25[.]33
  • 211[.]110[.]17[.]209
  • 31[.]184[.]198[.]23
  • 31[.]184[.]198[.]38
  • 61[.]97[.]241[.]239
  • 81[.]176[.]239[.]56
  • 86[.]106[.]102[.]3
  • 92[.]242[.]144[.]2
  • 95[.]183[.]52[.]57
  • 95[.]47[.]156[.]86
  • abc[.]wikaba[.]com
  • ad[.]getfond[.]info
  • additional[.]sexidude[.]com
  • announcements[.]toythieves[.]com
  • apple[.]cmdnetview[.]com
  • apple[.]ikwb[.]com
  • appledownload[.]ourhobby[.]com
  • appleimages[.]itemdb[.]com
  • appleimages[.]longmusic[.]com
  • appleimages[.]organiccrap[.]com
  • applemirror[.]organiccrap[.]com
  • applemirror[.]squirly[.]info
  • applemusic[.]isasecret[.]com
  • applemusic[.]itemdb[.]com
  • applemusic[.]wikaba[.]com
  • applemusic[.]xxuz[.]com
  • applemusic[.]zzux[.]com
  • appleupdate[.]itemdb[.]com
  • appleupdateurl[.]2waky[.]com
  • asfzx[.]x24hr[.]com
  • availab[.]wikaba[.]com
  • availability[.]justdied[.]com
  • babymusicsitetr[.]mymom[.]info
  • back[.]jungleheart[.]com
  • back[.]mofa[.]dynamic-dns[.]net
  • bak[.]ignorelist[.]com
  • bak[.]un[.]dnsrd[.]com
  • balance1[.]wikaba[.]com
  • barber[.]faqserv[.]com
  • be[.]mrslove[.]com
  • bexm[.]cleansite[.]biz
  • bezu[.]itemdb[.]com
  • billing[.]organiccrap[.]com
  • blaaaaaaaaaaaa[.]windowsupdate[.]3-a[.]net
  • brand[.]fartit[.]com
  • bulletproof[.]squirly[.]info
  • cdn[.]incloud-go[.]com
  • center[.]shenajou[.]com
  • cia[.]ezua[.]com
  • civilwar123[.]authorizeddns[.]org
  • civilwar520[.]onmypc[.]org
  • cnnews[.]mylftv[.]com
  • commissioner[.]shenajou[.]com
  • commons[.]onedumb[.]com
  • contactus[.]myddns[.]com
  • contactus[.]onmypc[.]us
  • contract[.]4mydomain[.]com
  • contractus[.]qpoe[.]com
  • contractus[.]zzux[.]com
  • cress[.]mynetav[.]net
  • ctldl[.]microsoftupdate[.]qhigh[.]com
  • ctldl[.]windowsupdate[.]authorizeddns[.]us
  • ctldl[.]windowsupdate[.]dnset[.]com
  • ctldl[.]windowsupdate[.]ezua[.]com
  • ctldl[.]windowsupdate[.]itsaol[.]com
  • ctldl[.]windowsupdate[.]organiccrap[.]com
  • ctldl[.]windowsupdate[.]x24hr[.]com
  • cvnx[.]zyns[.]com
  • dasonews[.]youdontcare[.]com
  • daughter[.]vizvaz[.]com
  • de[.]onmypc[.]info
  • dec[.]seyesb[.]acmetoy[.]com
  • details[.]squirly[.]info
  • development[.]shenajou[.]com
  • dick[.]ccfchrist[.]com
  • digsby[.]ourhobby[.]com
  • disruptive[.]https443[.]net
  • document[.]shenajou[.]com
  • download[.]windowsupdate[.]dedgesuite[.]net
  • download[.]windowsupdate[.]dnset[.]com
  • download[.]windowsupdate[.]itsaol[.]com
  • download[.]windowsupdate[.]x24hr[.]com
  • ea[.]onmypc[.]info edgar[.]ccfchrist[.]com
  • ehshiroshima[.]mylftv[.]com
  • eric-averyanov[.]wha[.]la
  • eu[.]acmetoy[.]com
  • eu[.]wha[.]la
  • ewe[.]toshste[.]com
  • fabian[.]ccfchrist[.]com
  • fbi[.]sexxxy[.]biz file[.]zzux[.]com
  • feed[.]jungleheart[.]com
  • film[.]everydayfilmlink[.]com
  • findme[.]epac[.]to
  • fire[.]mrface[.]com
  • firstnews[.]jkub[.]com
  • flea[.]poulsenv[.]com
  • foal[.]wchildress[.]com
  • fr[.]wikaba[.]com
  • freegamecenter[.]onedumb[.]com
  • ftp[.]2014[.]zzux[.]com
  • ftp[.]additional[.]sexidude[.]com
  • ftp[.]announcements[.]toythieves[.]com
  • ftp[.]appledownload[.]ourhobby[.]com
  • ftp[.]appleimages[.]itemdb[.]com
  • ftp[.]appleimages[.]longmusic[.]com
  • ftp[.]appleimages[.]organiccrap[.]com
  • ftp[.]applemirror[.]organiccrap[.]com
  • ftp[.]applemirror[.]squirly[.]info
  • ftp[.]applemusic[.]isasecret[.]com
  • ftp[.]applemusic[.]itemdb[.]com
  • ftp[.]applemusic[.]wikaba[.]com
  • ftp[.]applemusic[.]xxuz[.]com
  • ftp[.]applemusic[.]zzux[.]com
  • ftp[.]appleupdate[.]itemdb[.]com
  • ftp[.]asfzx[.]x24hr[.]com
  • ftp[.]availab[.]wikaba[.]com
  • ftp[.]availability[.]justdied[.]com
  • ftp[.]back[.]jungleheart[.]com
  • ftp[.]balance1[.]wikaba[.]com
  • ftp[.]be[.]mrslove[.]com
  • ftp[.]brand[.]fartit[.]com
  • ftp[.]bulletproof[.]squirly[.]info
  • ftp[.]civilwar123[.]authorizeddns[.]org
  • ftp[.]civilwar520[.]onmypc[.]org
  • ftp[.]cnnews[.]mylftv[.]com
  • ftp[.]commons[.]onedumb[.]com
  • ftp[.]contractus[.]qpoe[.]com
  • ftp[.]de[.]onmypc[.]info
  • ftp[.]details[.]squirly[.]info
  • ftp[.]disruptive[.]https443[.]net
  • ftp[.]ea[.]onmypc[.]info
  • ftp[.]ehshiroshima[.]mylftv[.]com
  • ftp[.]eric-averyanov[.]wha[.]la
  • ftp[.]eu[.]acmetoy[.]com
  • ftp[.]eu[.]wha[.]la
  • ftp[.]fire[.]mrface[.]com
  • ftp[.]fr[.]wikaba[.]com
  • ftp[.]fuck[.]ikwb[.]com
  • ftp[.]generat[.]almostmy[.]com
  • ftp[.]hii[.]qhigh[.]com
  • ftp[.]innocent-isayev[.]sexidude[.]com
  • ftp[.]invoices[.]sexxxy[.]biz
  • ftp[.]itlans[.]isasecret[.]com
  • ftp[.]itunesdownload[.]jkub[.]com
  • ftp[.]itunesdownload[.]wikaba[.]com
  • ftp[.]itunesimages[.]itemdb[.]com
  • ftp[.]itunesimages[.]itsaol[.]com
  • ftp[.]itunesimages[.]qpoe[.]com
  • ftp[.]itunesmirror[.]fartit[.]com
  • ftp[.]itunesmirror[.]itsaol[.]com
  • ftp[.]itunesmusic[.]ikwb[.]com
  • ftp[.]itunesmusic[.]jetos[.]com
  • ftp[.]itunesmusic[.]jkub[.]com
  • ftp[.]itunesmusic[.]zzux[.]com
  • ftp[.]itunesupdate[.]itsaol[.]com
  • ftp[.]itunesupdates[.]organiccrap[.]com
  • ftp[.]jimin[.]mymom[.]info
  • ftp[.]key[.]zzux[.]com
  • ftp[.]knowledge[.]sellclassics[.]com
  • ftp[.]lan[.]dynssl[.]com
  • ftp[.]latestnews[.]epac[.]to
  • ftp[.]latestnews[.]organiccrap[.]com
  • ftp[.]macfee[.]mrface[.]com
  • ftp[.]maffc[.]mrface[.]com
  • ftp[.]malware[.]dsmtp[.]com
  • ftp[.]mason[.]vizvaz[.]com
  • ftp[.]mediapath[.]organiccrap[.]com
  • ftp[.]Microsoft[.]got-game[.]org
  • ftp[.]microsoft[.]mrface[.]com
  • ftp[.]microsoftimages[.]organiccrap[.]com
  • ftp[.]microsoftmusic[.]mrbasic[.]com
  • ftp[.]microsoftqckmanager[.]pcanywhere[.]net
  • ftp[.]microsoftupdate[.]mrbasic[.]com
  • ftp[.]microsoftupdate[.]qhigh[.]com
  • ftp[.]mmy[.]ddns[.]us
  • ftp[.]mod[.]jetos[.]com
  • ftp[.]mofa[.]dynamic-dns[.]net
  • ftp[.]mofa[.]ns01[.]info
  • ftp[.]moscowdic[.]trickip[.]org
  • ftp[.]musicfile[.]ikwb[.]com
  • ftp[.]na[.]americanunfinished[.]com
  • ftp[.]newsdata[.]jkub[.]com
  • ftp[.]no[.]authorizeddns[.]org
  • ftp[.]nt[.]mynumber[.]org
  • ftp[.]nz[.]compress[.]to
  • ftp[.]ol[.]almostmy[.]com
  • ftp[.]oracleupdate[.]dns04[.]com
  • ftp[.]portal[.]mrface[.]com
  • ftp[.]portal[.]sendsmtp[.]com
  • ftp[.]portalser[.]dynamic-dns[.]net
  • ftp[.]praskovya-matveyeva[.]mefound[.]com
  • ftp[.]praskovya-ulyanova[.]dumb1[.]com
  • ftp[.]products[.]almostmy[.]com
  • ftp[.]products[.]cleansite[.]us
  • ftp[.]products[.]serveuser[.]com
  • ftp[.]purchase[.]lflinkup[.]org
  • ftp[.]recent[.]dns-stuff[.]com
  • ftp[.]recent[.]fartit[.]com
  • ftp[.]referred[.]gr8domain[.]biz
  • ftp[.]referred[.]yourtrap[.]com
  • ftp[.]register[.]ourhobby[.]com
  • ftp[.]registration2[.]instanthq[.]com
  • ftp[.]registrations[.]4pu[.]com
  • ftp[.]registrations[.]organiccrap[.]com
  • ftp[.]remeberdata[.]iownyour[.]org
  • ftp[.]reserveds[.]onedumb[.]com
  • ftp[.]rethem[.]almostmy[.]com
  • ftp[.]sdmsg[.]onmypc[.]org
  • ftp[.]se[.]toythieves[.]com
  • ftp[.]senseye[.]ikwb[.]com
  • ftp[.]septdlluckysystem[.]jungleheart[.]com
  • ftp[.]seraphim-yurieva[.]justdied[.]com
  • ftp[.]serv[.]justdied[.]com
  • ftp[.]server1[.]proxydns[.]com
  • ftp[.]seyesb[.]acmetoy[.]com
  • ftp[.]shugiin[.]jkub[.]com
  • ftp[.]sstday[.]jkub[.]com
  • ftp[.]support1[.]mrface[.]com
  • ftp[.]svc[.]dynssl[.]com
  • ftp[.]synssl[.]dnset[.]com
  • ftp[.]tamraj[.]fartit[.]com
  • ftp[.]ticket[.]instanthq[.]com
  • ftp[.]tophost[.]dynamicdns[.]co[.]uk
  • ftp[.]transfer[.]lflinkup[.]org
  • ftp[.]transfer[.]vizvaz[.]com
  • ftp[.]ugreen[.]itemdb[.]com
  • ftp[.]uk[.]dynamicdns[.]org[.]uk
  • ftp[.]un[.]ddns[.]info
  • ftp[.]un[.]dnsrd[.]com
  • ftp[.]usa[.]itsaol[.]com
  • ftp[.]well[.]itsaol[.]com
  • ftp[.]windowfile[.]itemdb[.]com
  • ftp[.]windowsimages[.]itemdb[.]com
  • ftp[.]windowsmirrors[.]vizvaz[.]com
  • ftp[.]windowsupdate[.]2waky[.]com
  • ftp[.]windowsupdate[.]3-a[.]net
  • ftp[.]windowsupdate[.]authorizeddns[.]us
  • ftp[.]windowsupdate[.]dns05[.]com
  • ftp[.]windowsupdate[.]esmtp[.]biz
  • ftp[.]windowsupdate[.]ezua[.]com
  • ftp[.]windowsupdate[.]fartit[.]com
  • ftp[.]windowsupdate[.]gettrials[.]com
  • ftp[.]windowsupdate[.]instanthq[.]com
  • ftp[.]windowsupdate[.]jungleheart[.]com
  • ftp[.]windowsupdate[.]lflink[.]com
  • ftp[.]windowsupdate[.]mrface[.]com
  • ftp[.]windowsupdate[.]mylftv[.]com
  • ftp[.]windowsupdate[.]rebatesrule[.]net
  • ftp[.]windowsupdate[.]sellclassics[.]com
  • ftp[.]windowsupdate[.]serveusers[.]com
  • ftp[.]yandexr[.]sellclassics[.]com
  • fukuoka[.]cloud-maste[.]com
  • gavin[.]ccfchrist[.]com
  • generat[.]almostmy[.]com
  • gifuonlineshopping[.]mynumber[.]org
  • glicense[.]shenajou[.]com
  • globalnews[.]wikaba[.]com
  • grammar[.]jkub[.]com
  • helpus[.]ddns[.]info
  • hii[.]qhigh[.]com
  • home[.]trickip[.]org
  • hukuoka[.]cloud-maste[.]com
  • ibmmsg[.]strangled[.]net
  • imitate[.]faqserv[.]com
  • incloud-obert[.]com
  • innocent-isayev[.]sexidude[.]com
  • innov-tec[.]com[.]ua
  • interpreter[.]shenajou[.]com
  • invoices[.]sexxxy[.]biz
  • iphone[.]vizvaz[.]com
  • ipv4[.]microsoftupdate[.]mrbasic[.]com
  • ipv4[.]windowsupdate[.]3-a[.]net
  • ipv4[.]windowsupdate[.]dnset[.]com
  • ipv4[.]windowsupdate[.]ezua[.]com
  • ipv4[.]windowsupdate[.]itsaol[.]com
  • ipv4[.]windowsupdate[.]lflink[.]com
  • ipv4[.]windowsupdate[.]mylftv[.]com
  • ipv4[.]windowsupdate[.]x24hr[.]com
  • itlans[.]isasecret[.]com
  • itunesdownload[.]jkub[.]com
  • itunesdownload[.]vizvaz[.]com
  • itunesdownload[.]wikaba[.]com
  • itunesimages[.]itemdb[.]com
  • itunesimages[.]itsaol[.]com
  • itunesimages[.]qpoe[.]com
  • itunesmirror[.]fartit[.]com
  • itunesmirror[.]itsaol[.]com
  • itunesmusic[.]ikwb[.]com
  • itunesmusic[.]jetos[.]com
  • itunesmusic[.]jkub[.]com
  • itunesmusic[.]zzux[.]com
  • itunesupdate[.]itsaol[.]com
  • itunesupdates[.]organiccrap[.]com
  • james[.]tffghelth[.]com
  • jcie[.]mofa[.]ns01[.]info
  • jimin[.]mymom[.]info
  • jp[.]rakutenmusic[.]com
  • jpnewslogs[.]sendsmtp[.]com
  • jpstarmarket[.]serveusers[.]com
  • Kawasaki[.]unhamj[.]com
  • kennedy[.]tffghelth[.]com
  • key[.]zzux[.]com
  • kikimusic[.]sellclassics[.]com
  • kmd[.]crabdance[.]com
  • knowledge[.]sellclassics[.]com
  • kxsbwappupdate[.]dhcp[.]biz
  • kztmusiclnk[.]dnsrd[.]com
  • lan[.]dynssl[.]com
  • latestnews[.]epac[.]to
  • latestnews[.]organiccrap[.]com
  • lennon[.]fftpoor[.]com
  • license[.]shenajou[.]com
  • lion[.]wchildress[.]com
  • lizard[.]poulsenv[.]com
  • macfee[.]mrface[.]com
  • machine[.]ddns[.]ms
  • maffc[.]mrface[.]com
  • mailowl[.]jkub[.]com
  • Malcolm[.]fftpoor[.]com
  • malware[.]dsmtp[.]com
  • mason[.]vizvaz[.]com
  • mediapath[.]organiccrap[.]com
  • microhome[.]wikaba[.]com
  • Microsoft[.]got-game[.]org
  • Microsoft[.]mrface[.]com
  • microsoftempowering[.]sendsmtp[.]com
  • microsoftgetstarted[.]sexidude[.]com
  • microsoftimages[.]organiccrap[.]com
  • microsoftmirror[.]mrbasic[.]com
  • microsoftmusic[.]itemdb[.]com
  • microsoftmusic[.]mrbasic[.]com
  • microsoftqckmanager[.]pcanywhere[.]net
  • microsoftstores[.]itemdb[.]com
  • microsoftupdate[.]mrbasic[.]com
  • microsoftupdate[.]qhigh[.]com
  • micrsoftware[.]dsmtp[.]com
  • mmy[.]ddns[.]us
  • mobile[.]2waky[.]com
  • mod[.]jetos[.]com
  • mofa[.]dynamic-dns[.]net
  • mofa[.]ns01[.]info
  • moonnightthse[.]zyns[.]com
  • moscowdic[.]trickip[.]org
  • moscowstdsupdate[.]toythieves[.]com
  • mrsloveaqx[.]mrslove[.]com
  • ms[.]ecc[.]u-tokyo-ac-jp[.]com
  • mseupdate[.]ourhobby[.]com
  • msg[.]ezua[.]com
  • msn[.]incloud-go[.]com
  • music[.]cleansite[.]us
  • musicfile[.]ikwb[.]com
  • musiclinker[.]jkub[.]com
  • mx[.]yetrula[.]eu
  • mytwhomeinst[.]sendsmtp[.]com
  • na[.]americanunfinished[.]com
  • networkjpnzee[.]mynetav[.]org
  • newcityoforward[.]rebatesrule[.]net
  • newsdata[.]jkub[.]com
  • newsfile[.]toythieves[.]com
  • newsreport[.]justdied[.]com
  • newtime[.]ezua[.]com
  • nezwq[.]ezua[.]com
  • nmrx[.]mrbonus[.]com
  • no[.]authorizeddns[.]org
  • nsa[.]mefound[.]com
  • nt[.]mynumber[.]org
  • nttdata[.]otzo[.]com
  • nuisance[.]serveusers[.]com
  • nz[.]compress[.]to
  • ol[.]almostmy[.]com
  • onlinednsserver[.]sendsmtp[.]com
  • oracleupdate[.]dns04[.]com
  • outlook[.]sindeali[.]com
  • owlmedia[.]mefound[.]com
  • peopleinfodata[.]3-a[.]net
  • pepper[.]sexxxy[.]biz
  • portal[.]mrface[.]com
  • portal[.]sendsmtp[.]com
  • portalser[.]dynamic-dns[.]net
  • praskovya-matveyeva[.]mefound[.]com
  • praskovya-ulyanova[.]dumb1[.]com
  • products[.]almostmy[.]com
  • products[.]cleansite[.]us
  • products[.]serveuser[.]com
  • program[.]acmetoy[.]com
  • purchase[.]lflinkup[.]org
  • rain[.]orctldl[.]windowsupdate[.]authorizeddns[.]us
  • read[.]xxuz[.]com
  • recent[.]dns-stuff[.]com
  • recent[.]fartit[.]com
  • redflower[.]isasecret[.]com
  • referred[.]gr8domain[.]biz
  • referred[.]yourtrap[.]com
  • register[.]ourhobby[.]com
  • registration2[.]instanthq[.]com
  • registrations[.]4pu[.]com
  • registrations[.]organiccrap[.]com
  • remeberdata[.]iownyour[.]org
  • reserveds[.]onedumb[.]com
  • rethem[.]almostmy[.]com
  • sakai[.]unhamj[.]com
  • sappore[.]cloud-maste[.]com
  • sc[.]weboot[.]info
  • scorpion[.]poulsenv[.]com
  • sdmsg[.]onmypc[.]org
  • se[.]toythieves[.]com
  • secertnews[.]mrbasic[.]com
  • send[.]mofa[.]ns01[.]info
  • sendmsg[.]jumpingcrab[.]com
  • senseye[.]ikwb[.]com
  • septdlluckysystem[.]jungleheart[.]com
  • seraphim-yurieva[.]justdied[.]com
  • serv[.]justdied[.]com
  • server1[.]proxydns[.]com
  • seyesb[.]acmetoy[.]com
  • shrimp[.]bdoncloud[.]com
  • shugiin[.]jkub[.]com
  • singed[.]otzo[.]com
  • sojourner[.]mypicture[.]info
  • sstday[.]jkub[.]com
  • stone[.]jumpingcrab[.]com
  • style[.]u-tokyo-ac-jp[.]com
  • support1[.]mrface[.]com
  • svc[.]dynssl[.]com
  • synssl[.]dnset[.]com
  • taipeifoodsite[.]ocry[.]com
  • tamraj[.]fartit[.]com
  • tfa[.]longmusic[.]com
  • ticket[.]instanthq[.]com
  • tophost[.]dynamicdns[.]co[.]uk
  • transfer[.]lflinkup[.]org
  • transfer[.]vizvaz[.]com
  • travelyokogawafz[.]fartit[.]com
  • trout[.]belowto[.]com
  • twmusic[.]proxydns[.]com
  • twpeoplemusicsite[.]my03[.]com
  • twsslpopservupro[.]dynssl[.]com
  • twtravelinfomation[.]toythieves[.]com
  • twx[.]mynumber[.]org
  • ugreen[.]itemdb[.]com
  • uk[.]dynamicdns[.]org[.]uk
  • ukuoka[.]cloud-maste[.]com
  • ultimedia[.]vmmini[.]com
  • un[.]ddns[.]info
  • un[.]dnsrd[.]com
  • updates[.]itsaol[.]com
  • usa[.]itsaol[.]com
  • usiness[.]vmmini[.]com
  • usliveupdateonline[.]ygto[.]com
  • ut-portal-u-tokyo-ac-jp[.]tyoto-go-jp[.]com
  • v4[.]microsoftupdate[.]mrbasic[.]com
  • v4[.]windowsupdate[.]dedgesuite[.]net
  • v4[.]windowsupdate[.]dnset[.]com
  • v4[.]windowsupdate[.]itsaol[.]com
  • v4[.]windowsupdate[.]x24hr[.]com
  • wcxh[.]mynetav[.]net
  • well[.]itsaol[.]com
  • whale[.]toshste[.]com
  • windowfile[.]itemdb[.]com
  • windowsimages[.]itemdb[.]com
  • windowsmirrors[.]vizvaz[.]com
  • windowsupdate[.]2waky[.]com
  • windowsupdate[.]3-a[.]net
  • windowsupdate[.]acmetoy[.]com
  • windowsupdate[.]authorizeddns[.]net
  • windowsupdate[.]authorizeddns[.]org
  • windowsupdate[.]authorizeddns[.]us
  • windowsupdate[.]dedgesuite[.]net
  • windowsupdate[.]dns05[.]com
  • windowsupdate[.]dnset[.]com
  • windowsupdate[.]esmtp[.]biz
  • windowsupdate[.]ezua[.]com
  • windowsupdate[.]fartit[.]com
  • windowsupdate[.]gettrials[.]com
  • windowsupdate[.]instanthq[.]com
  • windowsupdate[.]itsaol[.]com
  • windowsupdate[.]jungleheart[.]com
  • windowsupdate[.]lflink[.]com
  • windowsupdate[.]mrface[.]com
  • windowsupdate[.]mylftv[.]com
  • windowsupdate[.]organiccrap[.]com
  • windowsupdate[.]rebatesrule[.]net
  • windowsupdate[.]sellclassics[.]com
  • windowsupdate[.]serveusers[.]com
  • windowsupdate[.]wcwname[.]com
  • windowsupdate[.]x24hr[.]com
  • windowsupdates[.]itemdb[.]com
  • yahoo[.]incloud-go[.]com
  • yandexr[.]sellclassics[.]com
  • yfrfyhf[.]youdontcare[.]com
  • yokohamajpinstaz[.]mrbonus[.]com
  • zebra[.]bdoncloud[.]com
  • zebra[.]incloud-go[.]com
  • zero[.]pcanywhere[.]net

 

 

URLs

 

 

  • catholicmmb[.]com
  • cloud-kingl[.]com
  • cwiinatonal[.]com
  • jica-go-jp[.]bike
  • jica-go-jp[.]biz
  • jimin-jp[.]biz
  • meiji-ac-jp[.]com
  • mofa-go-jp[.]com
  • salvaiona[.]com

 

 

Filename

 

 

  • mtcReport[.]ktc
  • libvlc[.]dll
  • VeetlePlayer[.]exe

 

 

Malware Hash (MD5/SHA1/SH256)

 

 

  • 009b639441ad5c1260f55afde2d5d21fc5b4f96c
  • 01edb82de7b9666eaa5d2791a14092f2e73d2795
  • 02e702af02a6b9a8b31cd470c18e383093ef4ed404811b414d6d131df01f9acd
  • 06b0af6ff00647f57119d8a261829f73
  • 0876f0cb9d03bc5539b242a374976b217095ec0d
  • 0b05143e2e4b56dbf5ef7a58b5013bc3
  • 0c0a39e1cab4fc9896bdf5ef3c96a716
  • 0f6b00b0c5a26a5aa8942ae356329945
  • 19417f7551bc54db6783823325557773
  • 19610f0d343657f6842d2045e8818f09
  • 19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b
  • 1b891bc2e5038615efafabe48920f200
  • 1df29c63c917b089fe0fc099e2783c0c679892e5
  • 1f412a62f50ff71f0b2b2f54aaa980962ebfd8a4
  • 23d03ee4bf57de7087055b230dae7c5b
  • 2a07420c768fa49c05327741e0709c3ac5a71a06
  • 2c1b42e8c8acea5082275b6ea5f5c64ebaf4fa30
  • 2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910
  • 2d5c5e210c7db4ba6012bd761154db0d1f5cd658
  • 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c
  • 312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3
  • 316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d
  • 3afa9243b3aeb534e02426569d85e517
  • 3cbb5664d70bbe62f19ee28f26f21d7e
  • 3cfb1bf0063ea9d893f9e95c11e223cc06299337
  • 3ebbfeee3a832c92bb60b531f749230e
  • 4132068417bcbffec16ac655a14f29aa74189fcb
  • 42d5c9c4c02e6d5c88ec0acce72327389a92f0d7
  • 4521a74337a8b454f9b80c7d9e57b4c9580567f84e513d9a3ce763275c55e691
  • 45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2
  • 472b1710794d5c420b9d921c484ca9e8
  • 4cc0adf4baa1e3932d74282affb1a137b30820934ad4f80daceec712ba2bbe14
  • 5412cddde0a2f2d78ec9de0f9a02ac2b22882543c9f15724ebe14b3a0bf8cbda
  • 56126b1c19c1121c0f5065204ef5cc4633079b98
  • 56d6c3ffa4f3d5ae742f937fae85f0995814cf90
  • 5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1
  • 598ff82ea4fb52717acafb227c83d474 5a78974df88ab6a67bb72a5c7a437fb2
  • 5b045d98606f000a236b1bd4ac4c9e482b3f5475
  • 61df36789f7d2314c79a41be512300d7c84131bb 6235e5a45fa51a10826ced8e90adcf93
  • 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3
  • 6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e
  • 667989ffa5e77943f3384e78adf93510
  • 68e3f80012a78518ddbde055b5e42dd4d82e58e5
  • 6bc2558eb8915edc19835d9e734023a2368f876971f5580478782c7444f9581c
  • 6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586
  • 6ec0f91b5b74bc06ebb561cdeb0f4796
  • 6edd9bb17a999b5f5abcf123a2701e4ea4ada9a2
  • 6fccfa1559a64edff571d6042abd8a59
  • 741e955a9e458a70b5c085b3bfba800fdfb4ccde
  • 75500bb4143a052795ec7d2e61ac3261
  • 76721d08b83aae945aa00fe69319f896b92c456def4df5b203357cf443074c03
  • 7891f00dcab0e4a2f928422062e94213
  • 79f61eda72c41b5ec526a3d5a1a91f86f0bc0eca470e07ab50d9626231143f11
  • 7cace2e51e8ecc5ddb9720a8dc9e1f3596fe343b
  • 7cb04a4b86d998604341bc2b610a0a556830993d
  • 7d10708a518b26cc8c3cbfbaa224e032
  • 7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04
  • 7fe6c8191749767254513b03da03cfbf6dd6c139
  • 80dfcb6ec50f381f153ade2866f18d4b
  • 81ba8a1a9e26950c52580f5b046dbe1c8b6f6868
  • 81df89d6fa0b26cadd4e50ef5350f341
  • 83d419bc812d08c9d09baa49a4313a81eda54702
  • 850a7e877d8e68188714ff5344f6fc15
  • 86cea2cb7510a6031d44b8472d806ae2205f438f
  • 8a93859e5f7079d6746832a3a22ff65c
  • 8ece7de82e1bdd4659a122c06ea9533e
  • 9188923fcfca6bda9e13ec2efeb3b4ccc5f560cc
  • 92dbbe0eff3fe0082c3485b99e6a949d9c3747afa493a0a1e336829a7c1faafb
  • 95ab56ab1f0d4f010569ead7915fbc833a36cd73
  • 9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c
  • 9ae3b326cf716fbccbecfd292846a3a9
  • 9c2f3bbfbb1cdfe30ef0aad88d461daf
  • 9e0b78aacf4871cddc0468d517f928970fd54c8d
  • 9f01dd2b19a1032e848619428dd46bfeb6772be2e78b33723d2fa076f1320c57
  • a6284ed7e11fdffa6b187c0fefafa421e0f56318
  • a6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24
  • a7d0b38bda630c927820380d311ddc70a9606407
  • a82a59fd073c3c868be93f52d09203e93e87d79a
  • a91669bb4dcb713e997ddf98417730de78cb990a
  • a954a3f20ef8065d98d9e3a3c5ae254e27c63bf6
  • aaa19e15cfe66a105428048f3242889afae170dd
  • aaec782a5256150c88b75c912bf4d091cf0c32e9
  • aaee7385b2c836e9d3e14812807f911c2144a894
  • ad879f64e9137836283592720d95aadb
  • ae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145
  • aee17dbab01ed334bb94506fcbc2ed259242159e
  • af406d35c77b1e0df17f839e36bce630
  • af9dde68c73d69ea535103e963f09587b6aa020081bbce06347de05fa469c257
  • b0649c1f7fb15796805ca983fd8f95a3
  • b1043250c499ccf0ad56a688ccce662f42386869
  • b20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df
  • b966657d35bba9416775d320bb87086001995bbe
  • bb269704ba8647da97377440d403ae4d
  • bc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91
  • bd4110fdaa3c99c09ad4883085ddd62b6f9f9bd7
  • c0c8dcc9dad39da8278bf8956e30a3fc
  • c1cb28327d3364768d1c1e4ce0d9bc07
  • c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d
  • c6b8ed157eed54958da73716f8db253ba5124a0e4b649f08de060c4aa6531afc
  • c793c4e63fe61140dc92749a38e63820776548a3
  • ca119725c2cef7baad0690d82b770c25ff64c7e7f1fc9e0e65c91d20151cd204
  • ca9644ef0f7ed355a842f6e2d4511546
  • cb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628
  • d1bab4a30f2889ad392d17573302f097
  • d316848ce47c098ccfe72aa7311aaffa
  • da3cb3ade7f129838ff3c816b223859d91d377b6
  • db212129be94fe77362751c557d0e893
  • dbb867c2250b5be4e67d1977fcf721fb
  • dcff19fc193f1ba63c5dc6f91f00070e6912dcec3868e889fed37102698b554b
  • dd0494eb1ab29e577354fca895bec92a
  • de5af856804974ba3df03928fff03447e8f4c9c2
  • df8f49a3fdf8a9d550b22d65d21a8006ff593ac4
  • e418387dd296e00aea9141c8c4b73690495640a0
  • e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e
  • e88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0
  • e975d5b29d988929e5ad3a8fa19083d1
  • f03f70d331c6564aec8931f481949188
  • f1ca9998ca9078c27a6dab286dfe25fcdfb1ad734cc2af390bdcb97da1214563
  • f251485a62e104dfd8629dc4d2dfd572ebd0ab554602d682a28682876a47e773
  • f50460d3ddcc9628d0e86de1aa292895
  • f5744d72c6919f994ff452b0e758ffee
  • f586edd88023f49bc4f9d84f9fb6bd7d
  • fa89eeaac3c9de18aee8c58b6580dfea
  • fadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0
  • fb4e516e1e2a369d1cdfb208ee885cb4848bed707a0514367f464c8e7519cb50
  • fcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0
  • fd6a956a7708708cddff78c8505c7db73d7c4e961da8a3c00cc5a51171a92b7b
  • ff0b79ed5ca3a5e1a9dabf8e47b15366c1d0783d0396af2cbba8e253020dbb34

 

 

Remediation

 

Block the threat indicators at their respective controls. Keep systems up-to-date that are patched against all known vulnerabilities.

Researchers also suggest to conduct regular vulnerability scans of the internal and external networks and hosted content to identify and mitigate vulnerabilities.

Implement an Intrusion Detection System (IDS) to ensure continuous monitoring, sending alerts to a SIEM tool and monitoring internal activity.

 

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.