Rewterz Threat Alert – APT29 aka Nobelium – Active IOCs
July 21, 2023Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
July 23, 2023Rewterz Threat Alert – APT29 aka Nobelium – Active IOCs
July 21, 2023Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
July 23, 2023Severity
High
Analysis Summary
Donot APT, also known as Advanced Persistent Threat, is a highly sophisticated and persistent cyber threat group that has been active in recent years. Their activities primarily focus on conducting targeted cyber espionage campaigns against various organizations, including government entities, defense contractors, and technology companies.
Donot APT has demonstrated advanced technical capabilities and employs a range of sophisticated tactics, techniques, and procedures (TTPs) to gain unauthorized access to their targets’ networks and steal sensitive information. They often utilize a combination of social engineering, spear-phishing emails, and zero-day vulnerabilities to compromise their victims’ systems.
Once inside the targeted network, Donot APT engages in lateral movement, escalating privileges, and maintaining persistent access. They employ custom-built malware, including remote access trojans (RATs), backdoors, and keyloggers, to exfiltrate data and maintain control over compromised systems. Additionally, they leverage advanced anti-forensic techniques to evade detection and maintain their presence within the targeted networks for extended periods, sometimes lasting years.
Attribution of Donot APT to a specific nation-state or organization is challenging, as they exhibit a high level of operational security and employ false flag techniques to misdirect investigators. However, security researchers and intelligence agencies have linked the group to state-sponsored cyber activities.
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- dc505ed0a499eb41a6ae47138f799c7d
- 5437a18443b8199b1850128d60df9380
SHA-256
- f5770bba45da919565fa04c99bbd57480a1cb154473fe8be8f56658aaee872c2
- 497c3c0024fe57822b86da7410b7c46bb35147535e9d4a43b4ee328bce22930c
SHA-1
- 3f5cd41d571d7279d358177245dad1380e91eb1c
- 38b915ca8484536e69067485ed8573f59760f7ad
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.