Rewterz Threat Advisory – ICS: Siemens SCALANCE X Switches
January 19, 2021Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan AirForce
January 20, 2021Rewterz Threat Advisory – ICS: Siemens SCALANCE X Switches
January 19, 2021Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan AirForce
January 20, 2021Severity
High
Analysis Summary
Fresh IoCs have been retrieved from a campaign distributing the GandCrab ransomware. GandCrab campaigns typically involve emails designed to deceive a potential victim into downloading attached malicious files. The infection process begins once a victim opens the attachment. It is important to note that the malware, in order to be successfully installed, requires the victim to enable macros. As is customary with other ransomware, it aims to lock a victim’s files, and demand that a ransom amount be paid. GandCrab usually targets consumers and businesses with PCs running Microsoft Windows. GandCrab has been involved in some of the biggest ransomware attacks, causing massive monetary loss to victims. GandCrab operators usually attempt to impersonate legitimate services in order to successfully victimize the target. For instance, in January 2020, GandCrab was distributed packed in a word document “Flu pandemic warning.doc” supposedly coming from the Center for Disease Control. GandCrab was also distributed in October 2020.
Impact
- Files Encryption
- Data Exfiltration
Indicators of Compromise
Domain Name
- dns1[.]soprodns[.]ru
- dns2[.]soprodns[.]ru
- ns1[.]virmach[.]ru
- ns1[.]wowservers[.]ru
- ns2[.]virmach[.]ru
- ns2[.]wowservers[.]ru
MD5
- 88764b084e1ef20d941b8eb01f1c0405
- f9a3b29a3c28c0f289b14462e108f132
- 9e1a73c578ef44526b1c39528bbc04a5
- a44fbe164efede9aca0208307c87001f
- be77b2a8e6673829ab188743c48ad26c
- b970382176dd3f23dc8902b10ed2570e
- a7e534fef42e13d5b73d20ffb89ec78c
- af646bc85e9cf35d9f47e9a45aa5b834
SHA-256
- 9dec8cf06bb27c9f5d050690a7e88ecb23d6ba2c01e9f0c4a83063da135d04fa
- ed2467a2afef1ab64bda76886bf7d54e96870ef1fd1002e2d49c0b77d188463b
- 7163c3d52c8649463752d52c4a3e457654c9b8b0a2038752965b2f75017767ff
- 6d759edcf8661609b8e0bfdd09eae2ac8d8d8204976e43f587beea2796845976
- 4b55b1e3e54064c0053f658a83fe06256c4d8bb4b360271b1453fce879634f84
- 4706af3f19187367d25d0a7a90ac0226d9385438e972c2fbd19f7561fe896e31
- 2f97cb4061a9f1285330b5196ab052fd5754d54550b29934ebb8ac29400e0f30
- 1c8f74ebff1741f174880eed65bad53e8a600d2ba1d5ab7b2fb8f76e3994db5c
SHA1
- f83cc40e2b01ef2965f2a77e25c32a5aa885a401
- 62bab1ba03f4701fcad0b6e12a17fbefd864fcfe
- 008fa39571a193a15c3d5d843ff9d5ee5b9ddc30
- be3eeb117711f4eeff1b255ca178937b3e1b70dc
- 71e0f3a8b7a83da18bc54e1fb586150462d550b9
- 5fe310e180c7af1824aafcd1501d9e98711d9d75
- a37f548909028a7aa1b09de7f8d513010ed27465
- a80f4c1f3df2532f9c7f41d94fa18f26094aca0f
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not download files from random sources on the internet.
- Maintain offline backup of all important files.