Rewterz Threat Alert – KONNI APT Group – Active IOCs
March 29, 2022Rewterz Threat Advisory – CVE-2022-22948 – VMware vCenter Server and Cloud Foundation Vulnerability
March 30, 2022Rewterz Threat Alert – KONNI APT Group – Active IOCs
March 29, 2022Rewterz Threat Advisory – CVE-2022-22948 – VMware vCenter Server and Cloud Foundation Vulnerability
March 30, 2022Severity
High
Analysis Summary
The government team for responding to computer emergencies in Ukraine CERT-UA found RAR-archive “Диверсанти.rar”, which contains RAR-archive “Диверсанти 21.03.rar”, which, in turn, contains SFX-archive “Диверсанти filercs.rar” (to mask the extension, the file name contains the right-to-left override (RTLO) character).
The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “dhdhk0k34.com”. As a result, the computer will be affected by the malicious program Cobalt Strike Beacon. – CERT-UA
Cert-UA has associated this activity, with average confidence, to the GhostWriter group.
GhostWriter is a state-sponsored threat group targeting individuals in Poland, Latvia, and Lithuania. The group has now been linked to UNC1151. The campaign by the threat group started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.
Impact
- Information Theft and Espionage
- Cyber Espionage
Indicators of Compromise
Domain Name
- ao3[.]hmgo[.]pw
- hmgo[.]pw
Filename
- Диверсанти[.]rar
- Diversants21[.]03[.]rar
- Диверсанти21[.]03[.]rar
- Saboteursfilerar[.]scr
- Диверсантиfilerrar[.]sc
- Thumbs[.]db
- dhdhk0k34[.]com
- Skype[.]exe
MD5
- e4b54ee2f0068762179e7e514d90bf16
- 4a78df33d4f987103dc0c0f3a302b8cb
- bcdab4ae622811f699765bfb9cb909d2
- b5525108912ee8d5f1519f1b552723e8
- 3303286735a07ae5d14db9c12843d44e
- 18e73cc3d5eda742530ba3fef59e3943
SHA-256
- fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4
- 59ed536e1955e310f321435d43ca8b60cb3746514f3c3ea951d43633cacbe7bc
- 6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c
- d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6
- f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d
- 37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29
SHA-1
- f3f68b4bfdeb4d4cae5e05b66ca9c93e02f467ea
- 86063f8ed3331987b42a5fc256e26abfb174b48a
- 04bc53294ed74b6630c20c02afbc97f2772e2e31
- 426d8a2289a234de5f647950a745fe228ca6d495
- 18a590741330ec1968b229a1acdba2f08151909c
- 5ac79ec558347889d54d69e8e24e011683a58520
URL
- https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works
- https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works/update
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.