Rewterz Threat Alert – Spear-Phishing Email Spoofs Microsoft Domain
December 9, 2020Rewterz Threat Advisory – Microsoft Patches 58 Vulnerabilities in Multiple Products
December 9, 2020Rewterz Threat Alert – Spear-Phishing Email Spoofs Microsoft Domain
December 9, 2020Rewterz Threat Advisory – Microsoft Patches 58 Vulnerabilities in Multiple Products
December 9, 2020Severity
High
Analysis Summary
A campaign has been uncovered that looks like the work of Iran-based APT group Helix Kitten, aka OilRig and APT34. Initial analysis of likely OilRig-related observables revealed a phishing campaign targeting the Russian nuclear industry with Chinese language characteristics, as well as several other manufacturing and technology companies. While much remains unknown about this newly identified campaign. A login page used in the campaign appears to be a straightforward credential harvester, submitting credentials entered into the form fields as a POST to the same hosting domain. The domain itself appears to be either an abandoned or compromised legitimate website associated with a local fire department in the United States. Based on these links, DomainTools assesses some possibility for phishing themes combining Russian nuclear organizations with Chinese construction and critical infrastructure entities against individuals working on such projects.
Recently, in July, OilRig has targeted Middle Eastern organizations as well. Moreover, this APT group targets a vast range of geography. One of its earlier campaigns include targeting 100 organizations across 27 countries.
Impact
- Credential Theft
- Unauthorized Access
- Information Theft
Indicators of Compromise
Domain Name
- stagmein[.]pl
- mngtboard[.]com
- lavalingroup[.]com
- groupsexecutive[.]com
- cornerstoneconect[.]com
- boardsexecutives[.]com
- boardexecutivemanagement[.]com
- anhuisiafu[.]com
- zj-tunq[.]com
- wiqzi[.]com
- wilsonconts[.]com
- virtualcaresadvisor[.]com
- virtual-slots[.]com
- us-customs[.]org
- svn-stone[.]com
- superrnax[.]com
- renrenbaowang[.]net
- renrenbaowang[.]com
- petrochinas[.]com
- pet188[.]biz
- oculus-au[.]info
- klwebsrv[.]com
- kent-lawfirm[.]net
- jlrootfile[.]com
- jinkangpu[.]co
- jiabolianjie0[.]com
- indeptheva[.]com
- huopay[.]top
- hscminkjet[.]com
- hoganlouells[.]com
- exmngt[.]com
- connect-roofing[.]com
- clearinghouseinternational[.]com
- chinaconstructioncorp[.]com
- cererock[.]com
- careers-ntiva[.]com
- berqertextiles[.]com
- bargertextiles[.]com
- amazon-loveyou[.]com
- alcirineos[.]com
- ababab[.]biz
From Email
- cjay006@yandex[.]com
- chr1styjoe@yandex[.]com
- diandianlai@yandex[.]com
- lovelead247@yandex[.]com
Source IP
- 77[.]55[.]219[.]100
- 69[.]64[.]147[.]39
- 193[.]239[.]84[.]207
- 158[.]247[.]204[.]149
- 156[.]253[.]10[.]173
- 141[.]136[.]36[.]251
- 108[.]62[.]118[.]233
- 103[.]19[.]1[.]142
URL
- http[:]//iafflocal290[.]org/sapm/Poland/china[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download attachments or click on links given in untrusted emails.
- Use multi-factor authentication where possible.