• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2021-29704 – IBM Security SOAR Information Disclosure
August 24, 2021
Rewterz Threat Alert – Cerberus Banking Trojan – Active IOCs
August 24, 2021

Rewterz Threat Alert – KONNI APT Group – Active IOCs

August 24, 2021

Severity

High

Analysis Summary

Konni’s APT Group continues to attack malicious documents written in Russian. Konni’s APT Group conducts attacks with Russian-North Korean trade and economic investment documents. The vector used for the attack is probably the Spear Phishing method and has been reported in Korea. The malicious file suspected of being used as an attachment has the name Russia-North Korea-South Korea-Trade and Economic Relations-Investment.doc

update-1629786885.jpg

These malicious documents used by Konni APT 


The malicious DOC document file contains the following VBA code. If the [Use Content] button is clicked, the VBA malware included inside is activated. And the contents of the document are printed as follows, which makes the user dazzle like a normal document file. VBA code makes connections with malicious C2 servers contained in the ObjectPool zone. The attacker would communicate with the attacker’s server through a combination of instructions contained in the ObjectPool TextBox1 to TextBox3 data and content. 

Impact

  • Exposure of Sensitive Data

Indicators of Compromise

Filename

  • economic relations[.]doc

MD5

  • b693e3d2f2cab550ad4f8c5722776498
  • ce866ae254de4cabd60a95abcc52c315
  • 9b1ca0408e33c43970b87c4c380b134f
  • db7ed25a92793aba319c08d67ca8bb17
  • 6f6606ed57b133f775927e34067b86aa

SHA-256

  • f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12
  • fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa
  • d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
  • 617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83
  • 80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362

SHA1

  • 6dc93db10d46cf777f9928803157dd16dc097e79
  • 224fe06d61d2dc8d273a41d6dd83c9ce378719b9
  • 2fadfaef5179fe69bfecbd9adebd8f6a50615fa4
  • a240a8bb7630d3a060dda875abbc9690b9b6fb8a
  • 2e0168c630c0464f282d46abb17e1054c39af00e

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.