Rewterz Threat Alert – A New SolarMarker Infostealer – Active IOCs
March 6, 2024Rewterz Threat Update – New Critical TeamCity Authentication Bypass Flaws with Publicly Available Exploit
March 6, 2024Rewterz Threat Alert – A New SolarMarker Infostealer – Active IOCs
March 6, 2024Rewterz Threat Update – New Critical TeamCity Authentication Bypass Flaws with Publicly Available Exploit
March 6, 2024Severity
High
Analysis Summary
APT-17, also known as “Bitter APT” or “DeputyDog” is a state-sponsored cyber espionage group that is believed to operate out of China. They have been active since at least 2012 and have primarily targeted organizations in the aerospace, defense, and technology industries. They are known for targeting China, Pakistan, and Saudi Arabia and have expanded to set their sights on Bangladeshi government agencies. The group is known for using a wide range of custom malware and tools to carry out their operations, including Remote Access Trojans (RATs), keyloggers, and backdoors. The group’s malware is known to be complex, and multi-stage and uses a range of techniques to evade detection, such as code signing, the use of legitimate tools and third-party tools, and the use of encrypted communications. They are also known to use spear-phishing campaigns to gain initial access to targeted systems. They have been active for more than a decade and are known to use a wide range of custom malware and tools to carry out their operations. Organizations in these sectors should be aware of the threat actors and take appropriate measures to protect against their attacks. This includes implementing robust security measures, such as advanced threat detection and response capabilities, as well as employee training on how to identify and respond to spear-phishing campaigns. The group was observed using Powershell and curl instead of msiexe in one of the latest campaigns.
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- 78fb50b058e54e232255e0bbde50911d
- 82975ea9c8c498223bb2cc50b6326e76
- 648aa0270b39553fda4a2c3b03129a47
SHA-256
- eba30aacf384a7c07c333666fce77c17ae583d6267e129b954e3e0d18d8dd9af
- c0120c1f458497602ae3068e7e755d5056f7a0b2c28c9e6ba9a3bfe12b27ad56
- 9b83788f47b744adeb5255c48e68c87313a7c2409d5ebc84d913d87930e791b0
SHA-1
- 4dd6401adabbf926e571a59e67ee57588d45be70
- cccb4a8afd9f3e3ca1e3d9cbb96ae377d82c4804
- 85086350deb96cdf416ab22d898ba7191f1b3f51
Domain Name
- clairsvanieclub.com
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions on time. Using a multi-layered protection is necessary to secure vulnerable assets.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Enable two-factor authentication.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.