Rewterz Threat Alert – APT37 Aka StarCruft or RedEyes – Active IOCs
August 22, 2023Rewterz Threat Alert – XLoader macOS Malware Variation Concealed as ‘OfficeNote’ Productivity Software – Active IOCs
August 22, 2023Rewterz Threat Alert – APT37 Aka StarCruft or RedEyes – Active IOCs
August 22, 2023Rewterz Threat Alert – XLoader macOS Malware Variation Concealed as ‘OfficeNote’ Productivity Software – Active IOCs
August 22, 2023Severity
High
Analysis Summary
Donot APT, also known as Advanced Persistent Threat, is a highly sophisticated and persistent cyber threat group that has been active in recent years. Their activities primarily focus on conducting targeted cyber espionage campaigns against various organizations, including government entities, defense contractors, and technology companies.
Donot APT has demonstrated advanced technical capabilities and employs a range of sophisticated tactics, techniques, and procedures (TTPs) to gain unauthorized access to their targets’ networks and steal sensitive information. They often utilize a combination of social engineering, spear-phishing emails, and zero-day vulnerabilities to compromise their victims’ systems.
Once inside the targeted network, Donot APT engages in lateral movement, escalating privileges, and maintaining persistent access. They employ custom-built malware, including remote access trojans (RATs), backdoors, and keyloggers, to exfiltrate data and maintain control over compromised systems. Additionally, they leverage advanced anti-forensic techniques to evade detection and maintain their presence within the targeted networks for extended periods, sometimes lasting years.
Attribution of Donot APT to a specific nation-state or organization is challenging, as they exhibit a high level of operational security and employ false flag techniques to misdirect investigators. However, security researchers and intelligence agencies have linked the group to state-sponsored cyber activities.
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- 549b22eeb538376e7b2c63f30f137075
SHA-256
- 12334a40680a030287e4cea05814bd6ab05e3b2f2a62aec82fc6361cc829c702
SHA-1
- 9aaef66898d85b521529e3894ddf36cf09956534
URL
- http://cardlogical.info/bo1fdeNGuIiitis3/4JH0qYxTk53tul7xUZ4bmbj9nzb19Y9vMgBxfG0N4NhUJvYb.ico
- http://cardlogical.info/bo1fdeNGuIiitis3/4JH0qYxTk53tul7xUZ4bmbj9nzb19Y9vMgBxfG0N4NhUJvYb.png
- http://cardlogical.info/bo1fdeNGuIiitis3/4JH0qYxTk53tul7xUZ4bmbj9nzb19Y9vMgBxfG0N4NhUJvYb.mp3
- http://cardlogical.info/bo1fdeNGuIiitis3/4JH0qYxTk53tul7xUZ4bmbj9nzb19Y9vMgBxfG0N4NhUJvYb.mp4
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.