Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
February 17, 2022Rewterz Threat Advisory – CVE-2022-22945 – VMware NSX Data Center for vSphere Vulnerability
February 18, 2022Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
February 17, 2022Rewterz Threat Advisory – CVE-2022-22945 – VMware NSX Data Center for vSphere Vulnerability
February 18, 2022Severity
High
Analysis Summary
APT29 is linked to Russia’s Foreign Intelligence Service (SVR). They have been targeting government networks in Europe and NATO member nations, research institutes, and think tanks since at least 2008. APT29 focuses on a single target, launching a payload in the first stage that investigates the area while establishing persistence. Also, the notorious Solar Wind attacks in 2020 were carried out by this group. In 2014, the APT29 group attacked commercial and government enterprises in Germany, Uzbekistan, South Korea, and the United States, including the US State Department and the White House.
They have also attacked many vaccine manufacturers in an attempt to undermine the Coronavirus pandemic response process. APT29 is also known as Nobelium, Dukes, Cozy Duke, EuroAPT, CozyBear, CozyCar, Office Monkeys, SeaDuke, Hammer Toss, Iron Hemlock, and Grizzly Steppe.
Impact
- Information Theft and Espionage
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- Covid[.]html
- Covid[.]iso
- DeleteDateConnectionPosition[.]dll
MD5
- 628799f1f8146038b488c9ed06799b93
- 97fa94e60ccc91dcc6e5ee2848f48415
- 37ea95f7fa8fb51446c18f9f3aa63df3
SHA-256
- a896c2d16cadcdedd10390c3af3399361914db57bde1673e46180244e806a1d0
- 3cb0d2cff9db85c8e816515ddc380ea73850846317b0bb73ea6145c026276948
- 6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b1f7
SHA-1
- 5e52239e678018fc3c726e6cb946b9106a23d03d
- 76700821e8604b4ff271ff2ec75e89d43a50e6ef
- 246d49892298b850a8854b3bbdbbe516147f6fdd
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.