Rewterz Threat Advisory – Multiple NETGEAR R7800 Security Vulnerabilities
March 1, 2021Rewterz Threat Advisory – Apache Tomcat code execution
March 2, 2021Rewterz Threat Advisory – Multiple NETGEAR R7800 Security Vulnerabilities
March 1, 2021Rewterz Threat Advisory – Apache Tomcat code execution
March 2, 2021Severity
High
Analysis Summary
Group 21 targeted a range of sectors in South Asia with spear-phishing emails. The mails contained a malicious attachment which dropped a backdoor on the infected system to steal sensitive information. The threat actor has been in operation since at least 2017. It uses many techniques for persistence and defense evasion including PowerShell, mshta, obfuscation, and scheduled tasks. This comes at a crucial time when Pakistan India are progressing towards important aspect of peace negotiations after a tense last year.
Impact
Information theft and espionage
Indicators of Compromise
Domain Name
- mail[.]navy[.]mil[.]bd[.]mailupdatenavybdzimbra[.]gov-pk[.]org
- mfamail[.]foreign[.]gov[.]mv[.]mfamailzimbraupdation[.]gov-pk[.]org
- mail[.]paec[.]gov-pk[.]org
- pakcert[.]gov-pk[.]org
- mailupdatenavybdzimbra[.]gov-pk[.]org
- mfamailzimbraupdation[.]gov-pk[.]org
- ymailserviceauthentication[.]gov-pk[.]org
- mlibinternetbanking[.]gov-pk[.]org
- nccs[.]pk-gov[.]org
- nitb[.]pk-gov[.]org
- cert[.]pk-gov[.]org
SHA-256
- 83BAC454581249FB89706B61B1B115F0505F76F026870A7EA5507F2E7F9F738C
- 9BC75C69EAD3C8AE7297911C3603CECC3F3D3C739CD5EBB60B111AF1939C6952
- 36B19E8B6F3C43F6BBDE304B99186D2D59FA9A4F48EEA20244709CF0EE18CE88
- A22F63FA3D752D6F80B2E32F03164F62D9D5A632607F7BA2CC6D2A406F387FD9
- 35118D4ED995388333E3BCD09E9981F1006BF81AB54AB54B4F6BE028FDE948B2
- 63AE50C03104AB4B94D4602442B1798B8081C44F0141217D2D90C32249858D79
- 54CAD1CAE0843405168A114A754DDBEAFE4BD10DE97A7F07DA24EE174157AE49
- F8983BC0ED39FC9DD4675EAC5A02C7C24B0A9E57C34865BBE9F7117D4AD8321C
- 74BA500ED48A230B7DA3F057D2E114267F283B32CCB8BC3E56E16A0C11AB722B
- 8FB17BE82E6998740E2C17D49012FBD475FCAF8B2ECF8990D996A30B1061CDDF
- 0E6FADC64284167473BFC8EB22987852A8A8E8CB323548D2E2EFDFB26354ADB3
- F5026999207600EB4C63C03C2679D46E1A3EC8E25696810D9C7F74721F4D59EB
- 6C4C4981DE2C85E8B8222A704FBDF6E07209868CE68C3B4DFAF9503F0652E3EC
- 75592B43B8EBF15D880530318DCDECC4901A697015D06ED99E0FFF3CE5A90B99
URL
- http[:]//pakcert[.]gov-pk[.]org/poilkjmnb
- http[:]//pakcert[.]gov-pk[.]org/zaqxswcderfv[.]hta
- http[:]//pakcert[.]gov-pk[.]org[:]443/admin/get[.]php
- http[:]//pakcert[.]gov-pk[.]org/zxcvqwerasdf
- http[:]//pakcert[.]gov-pk[.]org/zaqxswcde[.]hta
- http[:]//pakcert[.]gov-pk[.]org/mnbvcxz
- http[:]//pakcert[.]gov-pk[.]org[:]443
- http[:]//pakcert[.]gov-pk[.]org[:]443/news[.]php
- http[:]//pakcert[.]gov-pk[.]org/CNS_Guidelines_2019[.]zip
- http[:]//pakcert[.]gov-pk[.]org[:]443/login/process[.]php
- http[:]//110[.]10[.]176[.]193[:]4443
- http[:]//pakcert[.]gov-pk[.]org[:]4443/news[.]php
- http[:]//pakcert[.]gov-pk[.]org/shipment[.]rar
- http[:]//pakcert[.]gov-pk[.]org/zaqxswcde[.]hta[.]
- http[:]//pakcert[.]gov-pk[.]org/zaqxswcderfv[.]hta[:]
Remediation
Block all threat indicators at your respective controls.
Search for IOCs in your environment.