• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Spear-Phishing Email Spoofs Microsoft Domain
December 9, 2020
Rewterz Threat Advisory – Microsoft Patches 58 Vulnerabilities in Multiple Products
December 9, 2020

Rewterz Threat Alert – APT34 (OilRig) Fresh Campaign – IoCs

December 9, 2020

Severity

High

Analysis Summary

A campaign has been uncovered that looks like the work of Iran-based APT group Helix Kitten, aka OilRig and APT34. Initial analysis of likely OilRig-related observables revealed a phishing campaign targeting the Russian nuclear industry with Chinese language characteristics, as well as several other manufacturing and technology companies. While much remains unknown about this newly identified campaign. A login page used in the campaign appears to be a straightforward credential harvester, submitting credentials entered into the form fields as a POST to the same hosting domain. The domain itself appears to be either an abandoned or compromised legitimate website associated with a local fire department in the United States. Based on these links, DomainTools assesses some possibility for phishing themes combining Russian nuclear organizations with Chinese construction and critical infrastructure entities against individuals working on such projects.

Recently, in July, OilRig has targeted Middle Eastern organizations as well. Moreover, this APT group targets a vast range of geography. One of its earlier campaigns include targeting 100 organizations across 27 countries. 

Impact

  • Credential Theft
  • Unauthorized Access
  • Information Theft

Indicators of Compromise

Domain Name

  • stagmein[.]pl
  • mngtboard[.]com
  • lavalingroup[.]com
  • groupsexecutive[.]com
  • cornerstoneconect[.]com
  • boardsexecutives[.]com
  • boardexecutivemanagement[.]com
  • anhuisiafu[.]com
  • zj-tunq[.]com
  • wiqzi[.]com
  • wilsonconts[.]com
  • virtualcaresadvisor[.]com
  • virtual-slots[.]com
  • us-customs[.]org
  • svn-stone[.]com
  • superrnax[.]com
  • renrenbaowang[.]net
  • renrenbaowang[.]com
  • petrochinas[.]com
  • pet188[.]biz
  • oculus-au[.]info
  • klwebsrv[.]com
  • kent-lawfirm[.]net
  • jlrootfile[.]com
  • jinkangpu[.]co
  • jiabolianjie0[.]com
  • indeptheva[.]com
  • huopay[.]top
  • hscminkjet[.]com
  • hoganlouells[.]com
  • exmngt[.]com
  • connect-roofing[.]com
  • clearinghouseinternational[.]com
  • chinaconstructioncorp[.]com
  • cererock[.]com
  • careers-ntiva[.]com
  • berqertextiles[.]com
  • bargertextiles[.]com
  • amazon-loveyou[.]com
  • alcirineos[.]com
  • ababab[.]biz

From Email

  • cjay006@yandex[.]com
  • chr1styjoe@yandex[.]com
  • diandianlai@yandex[.]com
  • lovelead247@yandex[.]com

Source IP

  • 77[.]55[.]219[.]100
  • 69[.]64[.]147[.]39
  • 193[.]239[.]84[.]207
  • 158[.]247[.]204[.]149
  • 156[.]253[.]10[.]173
  • 141[.]136[.]36[.]251
  • 108[.]62[.]118[.]233
  • 103[.]19[.]1[.]142

URL

  • http[:]//iafflocal290[.]org/sapm/Poland/china[.]php

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download attachments or click on links given in untrusted emails.
  • Use multi-factor authentication where possible.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.