Rewterz Threat Alert – APT group Donot – Active IOCs
June 9, 2021Rewterz Threat Advisory – CVE-2021-1402 – Cisco Firepower Threat Defense Software SSL Decryption Policy DoS Vulnerability
June 9, 2021Rewterz Threat Alert – APT group Donot – Active IOCs
June 9, 2021Rewterz Threat Advisory – CVE-2021-1402 – Cisco Firepower Threat Defense Software SSL Decryption Policy DoS Vulnerability
June 9, 2021Severity
High
Analysis Summary
CageyChameleon Malware is associated with a low-volume eCrime operation that targets companies involved in cryptocurrency and blockchain technology, particularly cryptocurrency exchange companies.The groups is responsible for the deployment of ageyChameleon is known as CrytpoCore (aka CryptoMimic, Leery Turtle, and Dangerous Password). The group heavily relies on Visual Basic Script (VBScript), rather than executables or in-memory payloads. The group’s main arsenal is script-based backdoor, tracked as CageyChameleon. Active since at least 2018, and since August 2020, the group has now shifted their Visual Basic Script (VBScript) infection chain with JavaScript (JS) payloads performing equivalent functions. The introduction of JavaScript (JS) payloads may represent an attempt to avoid detection.
Impact
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
MD5
- 60214745027c7efa7cc920d43d9c254a
- 9a06ce2b0b038de9147f93bbb3b3c56c
- 2b89480b4021e82210f6713a3c34d0de
- 408b27039e928c6aebb1b72a23257486
- 52965357107ab24a33d94bf8ee555dcd
- 539398c1554ebc30f458925d425d16dd
SHA-256
- 8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20
- fd02d7c88c831930ffe45984c714364c004cbb30c3f38cbaf63d0867ac5dd7a1
- 97a4c9d2542285d09dfce1594931cb366bd65edc2454c3984ca6539689c4a6c2
- b807d42926b94116ab57c8c40d5b4795b97375c150e1ec97a6520225dd0d4a0e
- 0172c45bd43dbd0935bda1b9bbc0cb82bd3896c103534922093963dd715cabec
- 8ea0c7e99067c4f9169b505c5072df49270b46129e1aee1e78e4236472a7c382
SHA1
- c02dc79d5b36629c072bb7ebeab897dc46ac9fb9
- a36d8558f1b0796612b17975bc72dd5d335729ec
- 46bf001b6e86a4d459c73b86cdb5b1ad7bc4c6ee
- 0bb1f3337e7532f9b57efcc4a924ff45327639e2
- 040d14fcd88c0cca8fae56f602e2cc9e711afc4e
- c37e1efc01fa39f240e4dcdbbcab12fdf2c187be
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.