Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA
December 15, 2020Rewterz Threat Advisory – CVE-2020-12516 – ICS: WAGO Series 750-88x and 750-352
December 16, 2020Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA
December 15, 2020Rewterz Threat Advisory – CVE-2020-12516 – ICS: WAGO Series 750-88x and 750-352
December 16, 2020Severity
High
Analysis Summary
BITTER APT is a threat actor organization suspected of having a South Asian background. This organization has long been conducting attacks against China, Pakistan and other countries, mainly targeting government, military industry, electric power, nuclear energy and other units to conduct targeted attacks to steal sensitive information. It is also tracked as APT-C-08. Recently, targeted attacks on domestic, government organizations and enterprises have been detected, originated by this APT group. The captured samples are SFX files disguised as decoys related to the shipbuilding industry. After running, the decoy PDF will be displayed to the victim, in order to trick them, at the same time malware will be executed in the background to carry out secret theft activities. In this round of attacks, the attack methods of this APT group have not changed much, and they still use the C2 server for communication, that was previously attributed to them. At the same time, the plug-in modules distributed by the C2 server are basically the same as in previous attacks.
Impact
- Credential Theft
- Unauthorized Code Execution
- Remote Control
- Data Manipulation
- Information Theft
Indicators of Compromise
Domain Name
- pichostfrm[.]net
MD5
- f6b250aff0e2f5b592a6753c4fdb4475
- f4daf0eccf9972bdefb79fbf9f7fb6ee
- a39aa2ecbbb50c97727503e23ce7b8c6
- 99dd93a189fd734fb00246a7a37014d3
- 806626d6e7a283efffb53b3831d53346
- 660a678cd7202475cf0d2c48b4b52bab
- 25a16b0fca9acd71450e02a341064c8d
- 1475df569f8a31e49a659c6d9764ae93
SHA-256
- 08fdd8642b657afe39b6023efb85ed3c9c7c349c75e68d2424417fe40e36d22e
- 78b16177d8c5b2e06622688a9196ce7452ca1b25a350daae8c4f12c2e415065c
- c42865e79497dbba80cfd806e0d3dc58769212fca2f9e82620029503b6ef7d8a
- b2d7336f382a22d5fb6899fc2bd87c7cd401451ecd6af8ccb9ea7dbbe62fc1b7
- 76494e3c71c44b3586f65e678c0d42b06c94396596159dacb9c3b65bd8edab66
- d957239ba4d314e47de9748e77a229f4f969f55b3fcf54a096e7971c7f1bab7d
- 26b3c9a5077232c1bbb5c5b4fc5513e3e0b54a735c32ae90a6d6c1e1d7e4cc0f
- 6cb0c0a2f89d1e82653d2b0dd1389007543616d11f0709ff194a4db2d36865f7
SHA1
- c663870d693af2ca04f8c8c5861c4b92b8cdd932
- c65a902b61e6158fa453b3bbdd81c57739383d63
- ccb1f082d2539ee9e2ba5f7a69d0d2fb26644f91
- 829785ea04587bb60003819c8919fed842216a83
- 820f205b40462d50bf1889410eb8b712256eab15
- a0c4ee924cd2a57e1b62b722c3b89a05ffc74663
- 826334eb7990950f7e154d2494cc12437723aad2
- 40f9a260eafd137b068a536053fe9db97114f348
Source IP
- 82[.]221[.]136[.]27
- 72[.]11[.]134[.]216
- 162[.]0[.]229[.]203
Remediation
- Block the threat indicators at their respective controls.
- Do not open links from untrusted emails or from unknown origin shared on social media.
- Do not click and execute email attachments from unknown sources.
- Maintain timely backup of important files.
- Upgrade products to patched versions against all known vulnerabilities.