• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Mirai Botnet – Active IOCs
January 3, 2022
Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
January 4, 2022

Rewterz Threat Alert – KONNI APT Group – Active IOCs

January 4, 2022

Severity

High

Analysis Summary

Konni’s APT Group continues to attack malicious documents written in Russian. Konni’s APT Group conducts attacks with Russian-North Korean trade and economic investment documents.

The vector used for the attack is probably the Spear Phishing method and has been reported in Korea.

The malicious file suspected of being used as an attachment has the name congratulation.zip.

On December 20th messages made to contaminate the Russian consulate situated in Indonesia have been distinguished; these messages involved the New Year Eve 2022 merriment as imitation topic. In spite of its past activities, the North Korean APT gathering this time didn’t involve vindictive records as connections; all things being equal, they joined a .compress record type named “congratulation.zip”, which implies “praise” in Russian, containing an installed executable addressing the primary phase of the disease. The messages were spoofed utilizing a *@mid.ru account as a source to imagine that it was sent from the Russian Embassy in Serbia.

update-1641274987.png

Impact

  • Information Theft and Espionage

Indicators of Compromise

Domain Name

  • i758769[.]atwebpages[.]com
  • 455686[.]c1[.]biz
  • h378576[.]atwebpages[.]com

Filename

  • поздравление[.]zip

MD5

  • 6af24a857e55fda368d08ae0559bbc08
  • ad152ab451527cf2baa96304c6ecd383
  • 3462e40caeec0fa52bd3c04ad8cbc9d3
  • 8ec9a6ff22c497375b53344cafeb2292

SHA-256

  • cdfc101b18b9b3f9e418fbb9a6b7d2750d5918c61ed3899ca4ecd7ede5022ac5
  • 53b687202e69dd8d5e2e841036c96a12b93971c9ff99ca54c109c491e7ad8eba
  • 72185f9dbf66d0e5dc0e1873934c183bc120708085c0de8a0e2a748f10f77de8
  • 451b9d4144555fcc791231db73ef3bfdb6ffddeb655e07a457108766f0e6ad39

SHA-1

  • f9e2dcd57f092d81da7885a713bedd0edd8c549b
  • 189fdac8fd88d61ba9cbd4f7d27561a6f60a9666
  • b433cc324a785e1d0291c961e2816e91a9549057
  • fb7d9bc8309f589e39e091ef5a7b08260596ffcd

URL

  • http[:]//i758769[.]atwebpages[.]com/index[.]php?user_id=18756&type=1

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.