Rewterz Threat Alert – Evilnum APT Group – Active IOCs
June 4, 2021Rewterz Threat Alert – Ransomware-as-a-service – a terrifying concept
June 4, 2021Rewterz Threat Alert – Evilnum APT Group – Active IOCs
June 4, 2021Rewterz Threat Alert – Ransomware-as-a-service – a terrifying concept
June 4, 2021Severity
High
Analysis Summary
An ongoing surveillance operation has been identified targeting the Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknow backdoors on victim’s machine. The investigation shows the operation was carried out by a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years. Analyzing the backdoor’s code evolution since its first appearance in the wild showed how it transformed from a single executable to a multi-stage attacks, making it harder to detect and investigate.
Impact
- Unauthorized Access
- Information Theft
- Code Execution
Indicators of Compromise
Filename
- Thông cáo báo chí Kỳ họp thứ nhất của Ủy ban Kiểm tra Trung ương khóa XIII[.]docx
- main[.]jpg
- 5[.]t
IP
- 45[.]91[.]225[.]139
- 107[.]148[.]165[.]151
- 45[.]121[.]146[.]88
MD5
- 1e9f1746c2dbea0df5017afdf8b94189
- d598749a8c86b1cdd313ff6c86626c86
- d843b58f31c687d22de09a6765b3ba3b
- 8bcea4940166222eff5c4ed897e5cccf
- 31565db2614bb5de2baf1a5c07771860
- 24448ffdb1a8ba9a9202a9c7178301c4
- fc51ba4706ac462d2fec8ba2be04dc1d
- 494a01d421997040de3583b3e08212a7
- f706f042c1953a9cea932d3cd770b2ad
- eff68f1096ae56ae94f439a8e5effe3d
- 0c60fd2da77df00a80c669496cb5467e
- 15ffce860b16959a369a6522bf47fa09
- 5214c519a69f7f0d14bb355cb711e868
- 6531661748e8d4533f5550b9f2997187
- 166e020accb40a0ea17fd2912ec02f19
SHA-256
- 6f66faf278b5e78992362060d6375dcc2006bcee29ccc19347db27a250f81bcd
- 0c346972a2ccebb2642ced34213f43595896da233f06f6251967517ae342908f
- d198c4d82eba42cc3ae512e4a1d4ce85ed92f3e5fdff5c248acd7b32bd46dc75
- 928f540c9658a458edc649371e178a7c83e2a9291f5b23ae326c3d64bfa902c6
- 4cc521b470d08c9684cd15ffac032accd50439b81873ee2d87897ab8c495744b
- 0e8fb748cd58ab2fa754e2fa16e4390327a10593ca72bb6a3b90a1885cbe5387
- 2d18300d1e8f56c340ed4d4b04e2dcbd6f3eb63436e9f95f2c2c07673a7647f9
- 674238469f6efd8a284c62df33d44734459dc66e7b0c223fd6a2fed97bc1c3a9
- 15d011ecee762c383f81930dad741426993910fd9939de1742f786a5aea2ba50
- a13b6aa6882e82860ff7b10ab6fe1a3d259aa63e9ed97239572a9a2ba16bc791
- b40476638c83b8800413cf1fe88e28c2486367b79d1ddae7eb1ddcfa75ceb0e3
- e1105e0aea484f5a3b37ff5143ba2d7be9d1eb17ef1da5c4725be0c415513289
- ec7237bc31b59204bd543b76677cd16007237cab6fbf22e266e1e3361849a4ba
- 0f7ff0a977d69421f1e06b5a44b5bdaeab2b15ee768127d200c1b5cc366e0968
- 5732cefa7ac96b2aa76ccd5849bbc1e47cb3e76c0d44f8491c47b1b1793604b4
SHA1
- f9d958c537b097d45b4fca83048567a52bb597bf
- 417e4274771a9614d49493157761c12e54060588
- 176a0468dd70abe199483f1af287e5c5e2179b8c
- aa5458bdfefe2a97611bb0fd9cf155a06f88ef5d
- 4da26e656ef5554fac83d1e02105fad0d1bd7979
- f8088c15f9ea2a1e167d5fa24b65ec356939ba91
- 0726e56885478357de3dce13efff40bfba53ddc2
- 7855a30e933e2b5c3db3661075c065af2e40b94e
- 696a4df81337e7ecd0ea01ae92d8af3d13855c12
- abaaab07985add1771da0c086553fef3974cf742
- 7a38ae6df845def6f28a4826290f1726772b247e
- e16b08947cc772edf36d97403276b14a5ac966d0
- c81ba6c37bc5c9b2cacf0dc53b3105329e6c2ecc
- a96dfbad7d02b7c0e4a0244df30e11f6f6370dde
- 6f5315f9dd0db860c18018a961f7929bec642918
Remediation
- Block all threat indicators at their respective controls.
- Look for IOCs in your environment.