Rewterz Threat Alert – HawkEye Infostealer – Active IOCs
December 1, 2022Rewterz Threat Alert – APT SideWinder Group Targeting Pakistan – Active IOCs
December 1, 2022Rewterz Threat Alert – HawkEye Infostealer – Active IOCs
December 1, 2022Rewterz Threat Alert – APT SideWinder Group Targeting Pakistan – Active IOCs
December 1, 2022Severity
High
Analysis Summary
Researchers have uncovered a large-scale phishing campaign aimed at the government, academic, foundation, and research sectors, with a focus on Australia, Japan, Taiwan, Myanmar, and the Philippines.
The campaign was observed from March 2022 to October 2022 and it is tied to an Advanced Persistent Threat (APT) group known as Earth Preta (also known as Mustang Panda and Bronze President). Earth Preta is well known for developing its own loaders and using them in conjunction with existing tools like PlugX and Cobalt Strike to compromise.
In the latest campaign, Earth Preta exploited fake Google accounts to spread malware via spear-phishing emails, the malware was initially stored in an archive file (such as a rar/zip/jar file) and distributed through Google Drive links. Throughout the campaign, researchers discovered new malware families utilized by the gangs (TONEINS and TONESHELL), including PUBLOAD, a previously disclosed malware.
PUBLOAD – A stager capable of downloading next-stage payload from its command and control (C&C) server. Cisco Talos initially revealed this in May 2022.
TONEINS – A first stage of malware that will install the TONESHELL backdoor and establishes the persistence for it.
TONESHELL – Mostly utilized backdoor in this campaign. It is a shellcode loader that uses a 32-byte key stored in memory to load and decode the backdoor shellcode.
Additionally, the threat actors employ a variety of techniques, including code obfuscation and unique exception handlers, to avoid discovery and analysis. Also, the senders of the spear-phishing emails and the owners of Google Drive URLs were discovered to be the same.
“we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.”
At least three types of arrival vectors were observed in the latest campaign as the intrusions’ entry points, including over 30 lure archives around the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files.
Researchers concluded from their analysis that after the gang has gained access to a victim’s networks, the sensitive data they have taken can be manipulated as entry points for the subsequent wave of intrusions.
They also share some mitigation plans including:
- Implement ongoing phishing awareness training for partners and staff.
- Always double-check the sender and subject of an email before opening it, especially if it has an unidentifiable sender or an ambiguous subject.
- Use a multi-layered protection solution to identify and block threats as far left in the malware infection chain as feasible.
Impact
- Information Theft
- Exposure To Sensitive Data
Indicators of Compromise
MD5
df4bbe9388d6a41148b5def5fa2c5bbc
56c729f2eb6b4525f87f84320a0031d2
cea56e4c29db2acc5234c548a11ca9a6
67da319f1e2d4d30507360634feb67e5
SHA-256
c0b9438186e27a1ebba214724a35195ce1f3fea41b6c0b69a10c649688371ec3
72b870a6914798b75bd45e483a47bf1c6eabd185ea577b621a23242a13ec58df
186c3d32b3674faaf2c59b780ec2e5aeedc48199beae07c69e7cc14180c3683b
1ba12162a50fd5acbb38d9d0a99efb3b43358457e3279b86954dfff39b5cde4d
SHA-1
e5c274d7df144c3734240b5735f57e0ac4d45210
fbb56bad56b356d62e29969c8b46811784325e90
aeefe56ca06e3b1fbd75983b10b82ade0062d73a
b6ddd3c652643b17fb902cc1a6c5e70e97248474
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Implement ongoing phishing awareness training for partners and staff.
- Use a multi-layered protection solution to identify and block threats as far left in the malware infection chain as feasible.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets