Rewterz Threat Alert – Stonefly Group Continues To Hit High-Value Targets – Active IOCs

May 4, 2022

Rewterz Threat Alert – Snake Keylogger’s Malware – Active IOCs

May 5, 2022

Rewterz Threat Alert – Calypso APT Group’s Attack On A Telecommunications Company In Kazakhstan – Active IOCs

May 4, 2022

Severity

High

Analysis Summary

One of Kazakhstan’s telecommunication organizations contacted a security solution provider in October 2021 with a suspect of malware on the company’s network. During the investigation, the researchers determined that the company’s internal servers have been infiltrated since 2019. Also, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been discovered as the main attackers’ tools for several years.

Research concluded that the threat actor group specialized in infecting the mail servers of Asian firms that had Microsoft Exchange software installed. Not only from Kazakhstan, but victims from several countries were found, including an Egyptian government agency, an Italian airport, a USA marketing company, Canadian transport, and woodworking companies.

Victims compromised from August 2021 to early November 2021 were included in the logs gathered by the command and control server. In some cases, BackDoor.Whitebird.30 was installed not only on the Microsoft Exchange server, but also on domain controllers. After the research, security researchers conclude that the Calypso APT hacker group is behind the attack.

Impact

Security Bypass
Exposure of Sensitive Data
Data Exfiltration
Remote Applications Launch

Indicators of Compromise

Domain Name

webmail[.]surfanny[.]com
www[.]sultris[.]com
mail[.]sultris[.]com
pop3[.]wordmoss[.]com
zmail[.]wordmoss[.]com
youtubemail[.]club
clark[.]l8t[.]net
blog[.]globnewsline[.]com
mail[.]globnewsline[.]com

IP

45[.]144[.]242[.]216
45[.]147[.]228[.]131
46[.]105[.]227[.]110
5[.]183[.]178[.]181
5[.]188[.]228[.]53
103[.]30[.]17[.]44
103[.]93[.]252[.]150
103[.]230[.]15[.]41
103[.]251[.]94[.]93
104[.]233[.]163[.]136
159[.]65[.]157[.]100
180[.]149[.]241[.]88
185[.]105[.]1[.]226
192[.]236[.]177[.]250
209[.]250[.]241[.]35

MD5

735d95dc1cb8e4e294016348b6d3beaa
e43c3051efa82576af905f4c9bbd5d57
7e1e4e1719cb9d3f6da7722dd20f8420
2abe9d7bf439a502208df0fe5210288b
10b83195c37bb7aa3c7fbb4312601a19
1fa7aa5695c75c8a24422c1292285aba
1ca3b8e83ca492226ff263073be018b8
189a0f223352f91d907214ad4f49840e
8741e28238b28361fe4b58bffce7f3da
958d54ea3f49c5397b8b9414cb7ccc67
c671126a995025c3ebed5748f7565510
2abe9d7bf439a502208df0fe5210288b
8e3bf34f8ed3bbf32d7a89b589c30726
2df56cc2b0a1f179e62b654de98a6077
5b913f8238934032c332b835c8961dca
10b83195c37bb7aa3c7fbb4312601a19
c7f8654f266f37ed4975030505fda5e8
64bae315170cb7cdc46fde2613163c64
735d95dc1cb8e4e294016348b6d3beaa
5f926942408ada30bea069da386a5ad3
edd2e4d4679317f959b486f5a84cc3ff
0cd20f7ce761eda2c3f014818ab0ad50
54a51c5477c2e6b746a65f1ceac4fa8d
5fe53ae52275102eb6db162685175139
e43c3051efa82576af905f4c9bbd5d57
a78255f9205bff53ca9db214aaee4d0e
b0e90d483ac14f1929de6ed8e8af878a
6983f7001de10f4d19fc2d794c3eb534
bab3877af8acd9c2475fe0f767e39f39
996c3eb5c21a20dd13b7ceee6c80b673

SHA-256

6ecfb85d150fc903a8983ae934b7d2ab7b993f87e2c42301a4e603e18483b96b
a18411eae5439f6f1d6a8b35a45e55e4d3e449012f8d1393056ed090e6389e95
279c42bee4b3a1303ec134672d306fc21210af51f06fd0807f26e249ff8086fe
955b0a859aefaef96e77bc9ed514a7f901561a031dfdd9599793cec7c55cbde9
9003908fa51ef746fda79a33d474c375640218ad654fd4368c935b2c41a1ff0f
a02515595bfff6567a7ff830ad8045ccf2fce61d0b28eec0cb6ae94cb5f0303f
efc63d5cb370e464d6b6c1e31c8af93c47d2e12d7b115183555679071cafce93
70feb00b89457044cbd6766c7adad5a432b8d3130b01ba33e54c1b20ab0a9432
27ceb3af67905d9ddaffb29031677c0a701a17d6fb179a26e24edffbced49357
1f5fc1dae073fb7442b355a0fa8f20d28be709b2a999c26121783bb181213f81
309aac6aef02a6ce02608e041d965c131f9d65bea0bec3d34b3881c848c728e2
955b0a859aefaef96e77bc9ed514a7f901561a031dfdd9599793cec7c55cbde9
e576ec1e2630c71e0b7b15aad8c8db562dabb80ec4fc26f5480b7977f79978db
78d185c603e094065d0c86ffa99aa7f3ceba049f277e314d5d51d0c9b25beeff
7843af73e8093b094f1d685f151cf8270358530b4e3f5f47adfcb220ad66f43c
9003908fa51ef746fda79a33d474c375640218ad654fd4368c935b2c41a1ff0f
a58f8db7cfccab2925ebfe8537451c2c5d93b3ae56dde4225684bbecb33d8808
1f2b98ab7724e6dde63c8b750a7bf71bc85d0081c4798f91e14941e86b5ee0be
6ecfb85d150fc903a8983ae934b7d2ab7b993f87e2c42301a4e603e18483b96b
cdc9c0b23857dbcd94859964f67ce138b1e3b815eeb6f0267a7a00477ab2d2d5
099df583bbada49c64fbbaf516f937b7d0ea9d16e762d30206987af872d5548e
a94fa35aaa2ec10e9cee7795e67f3ef435477200a0403b0a1fcc95cf7e06295d
1f8dd0b374180963fd4381012cce52a49b59261fc218ecece7a7837e6de44b1c
45f92aa1b3886f029fcc8cb67778f13f1e65ec844b6471e8def1886103bee321
a18411eae5439f6f1d6a8b35a45e55e4d3e449012f8d1393056ed090e6389e95
ad55bf10a754acef9ff4ace1369c148d4804f3543ba34b173d00c4977c4a0b8a
ab678bbd30328e20faed53ead07c2f29646eb8042402305264388543319e949c
3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
9f8d8bef6a69e3c17fef39f91ccb87507cbb6e56fdd67637825c49630dbeb82c
42ef8fb1eadf609c84262dcfa569ba63c8e31dce25347ab0dd79bb778e7790a1

SHA-1

a8bff99e1ea76d3de660ffdbd78ad04f81a8c659
abfd737b14413a7c6a21c8757aeb6e151701626a
1a4b8232237651881750911853cf22d570eada9e
595b5a7f25834df7a4af757a6f1c2838eea09f7b
ff82dcadb969307f93d73bbed1b1f46233da762f
7412b13e27433db64b610f40232eb4f0bf2c8487
f783fc5d3fc3f923c2b99ef3a15a38a015e2735a
65f64cc7aaff29d4e62520afa83b621465a79823
8b9e60735344f91146627213bd13c967c975a783
84d5f015d8b095d24738e45d2e541989e6221786
3d8a3fcfa2584c8b598836efb08e0c749d4c4aab
595b5a7f25834df7a4af757a6f1c2838eea09f7b
46e999d88b76cae484455e568c2d39ad7c99e79f
b1041acbe71d46891381f3834c387049cbbb0806
635e3cf8fc165a3595bb9e25030875f94affe40f
ff82dcadb969307f93d73bbed1b1f46233da762f
429357f91dfa514380f06ca014d3801e3175894d
cc5bce8c91331f198bb080d364aed1d3301bfb0c
a8bff99e1ea76d3de660ffdbd78ad04f81a8c659
5a171b55b644188d81218d3f469cf0500f966bac
b3ecb0ac5bebc87a3e31adc82fb6b8cc4fb66d63
a3347d3dc5e7c3502d3832ce3a7dd0fc72e6ea49
36624dc9cd88540c67826d10b34bf09f46809da7
16728655e5e91a46b16c3fe126d4d18054a570a1
abfd737b14413a7c6a21c8757aeb6e151701626a
a5829ed81f59bebf35ffde10928c4bc54cadc93b
4f0ea31a363cfe0d2bbb4a0b4c5d558a87d8683e
23873bf2670cf64c2440058130548d4e4da412dd
a6e9f5d8295d67ff0a5608bb45b8ba45a671d84c
39c5459c920e7c0a325e053116713bfd8bc5ddaf

Remediation

Block all threat indicators at their respective controls
Search for IOCs in your environment.
Do not download software and files from unofficial and untrusted sources

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us