Rewterz Threat Alert – APT29 aka Nobelium – Active IOCs
March 6, 2023Rewterz Threat Alert – ArrowRAT Malware – Active IOCs
March 6, 2023Rewterz Threat Alert – APT29 aka Nobelium – Active IOCs
March 6, 2023Rewterz Threat Alert – ArrowRAT Malware – Active IOCs
March 6, 2023Severity
High
Analysis Summary
The U.S Cybersecurity and Infrastructure Security Agency (CISA) has issued a fresh alert on Royal ransomware and expressed concern about its new methods and effects. Royal ransomware is a custom-designed program that has been targeting US and international organizations since September 2022. The group behind this malware is believed to be made up of seasoned threat actors who used to be part of Conti Team One. The ransomware program is an evolution of earlier versions such as Zeon, and after gaining access to victims’ networks, the Royal actors disable antivirus software and exfiltrate large amounts of data before finally deploying the ransomware and encrypting the systems.
The group uses various methods of initial access, including call back phishing, remote desktop protocol (RDP), exploitation of public-facing applications, and initial access brokers (IABs). The ransom demands vary from $1 million to $11 million, with the threat actors targeting various critical sectors such as healthcare, education, communications, and manufacturing.
Royal ransomware uses a unique partial encryption approach that enables the threat actors to select a specific percentage of data in a file to encrypt, which helps evade detection. The ransomware can target both Windows and Linux environments and has been linked to 19 attacks in January 2023 alone, putting it behind other ransomware programs such as LockBit, ALPHV, and Vice Society.
The group employs Cobalt Strike and PsExec for lateral movement and repurposes Cobalt Strike for data aggregation and exfiltration. To prevent system recovery, the threat actors delete shadow copies by relying on the Windows Volume Shadow Copy Service. Several command-and-control (C2) servers associated with Qakbot have been utilized in Royal ransomware intrusions, although it is unclear if the malware exclusively relies on Qakbot infrastructure.
To prevent data loss in the event of a ransomware attack, organizations must implement strong security measures and regularly back up their data. Educating employees about phishing attacks and limiting access to sensitive systems to only authorized personnel is crucial. Regular security assessments can help identify vulnerabilities and potential entry points for threat actors.
Impact
- Information Theft
- File Encryption
Indicators of Compromise
Domain Name
- ciborkumari.xyz
- sombrat.com
- gororama.com
- softeruplive.com
- altocloudzone.live
IP
- 102.157.44.105
- 105.158.118.241
- 105.69.155.85
- 113.169.187.159
- 134.35.9.209
MD5
- 880919b7cc90d086654e2bfb3e844778
- afd5d656a42a746e95926ef07933f054
- fddba8c29e386be579337b96b6c7cfb3
- 937d8f5da4adff6309bfa4c3b63a2708
- a96c125a0b4729e8494c696d300a7357
- df0b88dafe7a65295f99e69a67db9e1b
- 58997b926632f4f1e1aa9697b40447ac
- 01492156ce8b4034c5b1027130f4cf4e
- 527c71c523d275c8367b67bbebf48e9f
- cb8a14388e1da3956849d638af50fe9d
- 92283d4d0e7e730c3f4f5485bfa48cb6
SHA-256
- 250bcbfa58da3e713b4ca12edef4dc06358e8986cad15928aa30c44fe4596488
- 9db958bc5b4a21340ceeeb8c36873aa6bd02a460e688de56ccbba945384b1926
- c24c59c8f4e7a581a5d45ee181151ec0a3f0b59af987eacf9b363577087c9746
- 5fda381a9884f7be2d57b8a290f389578a9d2f63e2ecb98bd773248a7eb99fa2
- 312f34ee8c7b2199a3e78b4a52bd87700cc8f3aa01aa641e5d899501cb720775
- f484f919ba6e36ff33e4fb391b8859a94d89c172a465964f99d6113b55ced429
- 7cbfea0bff4b373a175327d6cc395f6c176dab1cedf9075e7130508bec4d5393
- 2598e8adb87976abe48f0eba4bbb9a7cb69439e0c133b21aee3845dfccf3fb8f
- 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
- 08c6e20b1785d4ec4e3f9956931d992377963580b4b2c6579fd9930e08882b1c
- 216047c048bf1dcbf031cf24bd5e0f263994a5df60b23089e393033d17257cb5
SHA-1
- afe6e88a53ff9e0057c4ac4eba31721032d0bb66
- 04028a0a1d44f81709040c31af026785209d4343
- 16bc440045143b56a7ebc9b876c963a51fde1a0c
- f697230ba32c437760bf2ac36e6bb33b86684244
- 61ae4cdfb8477a58c56267870599af325e79ea71
- db3163a09eb33ff4370ad162a05f4b2584a20456
- 30668844f3b017136114e4a3443e478aeeaa93e0
- 6b0deb67a178fe20e81691133b257df3bafa3006
- 7902b08fb184cfb9580d0ad950baf048a795f7c1
- a0ee0761602470e24bcea5f403e8d1e8bfa29832
- 3288f6f98bc2445f4ad688b562fe12414893c1ac
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.