• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – KONNI APT Group – Active IOCs
March 29, 2022
Rewterz Threat Advisory – CVE-2022-22948 – VMware vCenter Server and Cloud Foundation Vulnerability
March 30, 2022

Rewterz Threat Alert – GhostWriter Targeting Organizations of Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare

March 29, 2022

Severity

High

Analysis Summary

The government team for responding to computer emergencies in Ukraine CERT-UA found RAR-archive “Диверсанти.rar”, which contains RAR-archive “Диверсанти 21.03.rar”, which, in turn, contains SFX-archive “Диверсанти filercs.rar” (to mask the extension, the file name contains the right-to-left override (RTLO) character).

The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “dhdhk0k34.com”. As a result, the computer will be affected by the malicious program Cobalt Strike Beacon. – CERT-UA

Cert-UA has associated this activity, with average confidence, to the GhostWriter group.

GhostWriter is a state-sponsored threat group targeting individuals in Poland, Latvia, and Lithuania. The group has now been linked to UNC1151. The campaign by the threat group started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.

Impact

  • Information Theft and Espionage
  • Cyber Espionage

Indicators of Compromise

Domain Name

  • ao3[.]hmgo[.]pw
  • hmgo[.]pw

Filename

  • Диверсанти[.]rar
  • Diversants21[.]03[.]rar
  • Диверсанти21[.]03[.]rar
  • Saboteursfilerar[.]scr
  • Диверсантиfiler‮rar[.]sc
  • Thumbs[.]db
  • dhdhk0k34[.]com
  • Skype[.]exe

MD5

  • e4b54ee2f0068762179e7e514d90bf16
  • 4a78df33d4f987103dc0c0f3a302b8cb
  • bcdab4ae622811f699765bfb9cb909d2
  • b5525108912ee8d5f1519f1b552723e8
  • 3303286735a07ae5d14db9c12843d44e
  • 18e73cc3d5eda742530ba3fef59e3943

SHA-256

  • fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4
  • 59ed536e1955e310f321435d43ca8b60cb3746514f3c3ea951d43633cacbe7bc
  • 6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c
  • d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6
  • f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d
  • 37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29

SHA-1

  • f3f68b4bfdeb4d4cae5e05b66ca9c93e02f467ea
  • 86063f8ed3331987b42a5fc256e26abfb174b48a
  • 04bc53294ed74b6630c20c02afbc97f2772e2e31
  • 426d8a2289a234de5f647950a745fe228ca6d495
  • 18a590741330ec1968b229a1acdba2f08151909c
  • 5ac79ec558347889d54d69e8e24e011683a58520

URL

  • https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works
  • https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works/update

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.