Rewterz Threat Alert – MeterPreter Malware – Active IOCs
March 28, 2022Rewterz Threat Advisory – CVE-2022-27645 – NETGEAR R6700v3 Vulnerability
March 29, 2022Rewterz Threat Alert – MeterPreter Malware – Active IOCs
March 28, 2022Rewterz Threat Advisory – CVE-2022-27645 – NETGEAR R6700v3 Vulnerability
March 29, 2022Severity
Medium
Analysis Summary
The government team for responding to computer emergencies in Ukraine CERT-UA found the RAR-archive “Про збереження відеоматеріалів з фіксацією злочинних дій армії російської федерації.rar”, which contains the EXE-file of the same name. Running the executable file will create a lure document “# 2163_02_33-2022.pdf” (applies to a letter from the National Police of Ukraine), as well as a DLL file with the MZ header “officecleaner.dat” and the BAT file “officecleaner” removed. .bat “, which will ensure the formation of the correct DLL-file, run it and write to the Windows registry to ensure consistency. – CERT-UA
The mentioned DLL-file is classified as a malicious program HeaderTip, the main purpose of which is to download and execute other DLL-files.
Activity is tracked by UAC-0026. Similar attacks were observed in September 2020.
After the release of the advisory by the Ukraine CERT, researchers have associated the Chinese Threat Actors “Scarab” with the attack. This is the first direct attack by a Chinese threat actor on Ukraine. Scarab is known to use a predecessor of HeaderTip called “Scieron”.
Impact
- Credential Theft
- Code Execution
Indicators of Compromise
IP
- 104[.]155[.]198[.]25
MD5
- 1af894a5f23713b557c23078809ed01c
- 13612c99a38b2b07575688c9758b72cc
- 3293ba0e2eaefbe5a7c3d26d0752326e
- 9c22548f843221cc35de96d475148ecf
- 1aba36f72685c12e60fb0922b606417c
SHA-256
- 839e968aa5a6691929b4d65a539c2261f4ecd1c504a8ba52abbfbac0774d6fa3
- 042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1
- c0962437a293b1e1c2702b98d935e929456ab841193da8b257bd4ab891bf9f69
- 830c6ead1d972f0f41362f89a50f41d869e8c22ea95804003d2811c3a09c3160
- 63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1
SHA-1
- 8cfad6d23b79f56fb7535a562a106f6d187f84cf
- e7ef3b033c34f2ac2772c15ad53aa28599f93a51
- fdb8de6f8d5f8ca6e52ce924a72b5c50ce6e5d6a
- 4c396041b3c8a8f5dd9db31d0f2051e23802dcd0
- 3552c184281abcc14e3b941841b698cfb0ec9f1d
URL
- https[:]//product2020[.]mrbasic[.]com[:]8080/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.