Rewterz Threat Advisory – Multiple Fortinet Vulnerabilities
March 4, 2022Rewterz Threat Alert – Bitter APT Group Targeting Nepal Military Officials – Active IOCs
March 4, 2022Rewterz Threat Advisory – Multiple Fortinet Vulnerabilities
March 4, 2022Rewterz Threat Alert – Bitter APT Group Targeting Nepal Military Officials – Active IOCs
March 4, 2022Severity
High
Analysis Summary
A new malware called Daxin has been identified by security researchers. It is a backdoor that allows the attacker to read and write arbitrary files on the infected system along with other operations. Starting and interacting with arbitrary processes is also a capability the malware possesses. Daxin’s stealth and communication capabilities make it a valuable asset for attackers. Daxin is capable of communicating by hijacking legitimate TCP/IP connections. Incoming TCP traffic and connections are monitored by Daxin to do this communication. Whenever communication patterns are detected, Daxin takes over the connection by disconnecting the user. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps. Receiving commands and sending responses is then enabled after a successful key exchange that opens an encrypted communication channel. Daxin’s use of hijacked TCP connections helps to establish connectivity on networks with strict firewall rules and affords a high degree of stealth to its communications. SOC analysts monitoring for network anomalies may also have a hard time detecting it.
Impact
- Code Execution
- Data Exfiltration
Indicators of Compromise
MD5
- b0770094c3c64250167b55e4db850c04
- 46a9627fea9e34bea545aac6a991ff56
- 3f408d4d9c27b174d67c6154f8063092
- 62c18d61ed324088f963510bae43b831
- a6e9d6505f6d2326a8a9214667c61c67
- 1cd158a64f3d886357535382a6fdad75
- 8636fe3724f2bcba9399daffd6ef3c7e
- 79df0eabbf2895e4e2dae15a4772868c
- 47e6ac52431ca47da17248d80bf71389
- 6d131a7462e568213b44ef69156f10a5
- 4b058945c9f2b8d8ebc485add1101ba5
- bd5b0514f3b40f139d8079138d01b5f6
- 491aec2249ad8e2020f9f9b559ab68a8
- 14580bd59c55185115fd3abe73b016a2
- f242cffd9926c0ccf94af3bf16b6e527
- 50b39072d0ee9af5ef4824eca34be6e3
- 0ae30291c6cbfa7be39320badd6e8de0
SHA-256
- 06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4
- 0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555
- 3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4
- 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
- 5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae
- 5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a
- 6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f
- 8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce
- b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427
- b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3
- e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e
- 7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376
- 8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e
- 96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc
- 9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51
- c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c
- e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217
SHA-1
- 6abbc3003c7aa69ce79cbbcd2e3210b07f21d202
- a53e46a5d401e8a87fe1520e75ebcbe69ea6e6d1
- dd6fcbe0e3c6997e3358788c156dc937c72af8a0
- 8302802b709ad242a81b939b6c90b3230e1a1f1e
- cb3f30809b05cf02bc29d4a7796fb0650271e542
- a48aa80942fc8e0699f518de4fd6512e341d4196
- 3b6b35bca1b05fafbfc883a844df6d52af44ccdc
- d02403f85be6f243054395a873b41ef8a17ea279
- d417c0be261b0c6f44afdec3d5432100e420c3ed
- 25bf4e30a94df9b8f8ab900d1a43fd056d285c9d
- 37e6450c7cd6999d080da94b867ba23faa8c32fe
- 73bac306292b4e9107147db94d0d836fdb071e33
- 8692274681e8d10c26ddf2b993f31974b04f5bf0
- 71469dce9c2f38d0e0243a289f915131bf6dd2a8
- 53f776d9a183c42b93960b270dddeafba74eb3fb
- 064de88dbbea67c149e779aac05228e5405985c7
- c257aa4094539719a3c7b7950598ef872dbf9518
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.