Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
March 11, 2022Rewterz Threat Advisory – CVE-2022-0022 – Palo Alto Networks PAN-OS Vulnerability
March 14, 2022Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
March 11, 2022Rewterz Threat Advisory – CVE-2022-0022 – Palo Alto Networks PAN-OS Vulnerability
March 14, 2022Severity
High
Analysis Summary
APT MuddyWater – an Iran-based APT – has been operating since at least 2017. This APT group utilizes the common but efficient infection vector, spear-phishing, to perform their tasks. It has mostly targeted countries in the Middle East but also affected countries in Europe and North America. The majority of the group’s victims are in the telecoms, government (IT services), and oil industries. This group’s activity was formerly related to FIN7, however, it is now regarded to be a separate entity driven by espionage.
MuddyWater’s majority of attacks are based on social engineering. It lures its victims into activating macros so that would infect the targeted workstation. Once macros were turned on, the threat actor’s code would try to download a trojan from an adversarial payload command and control node.
According to U.S. and U.K. federal agencies, MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.
Impact
- Credential Theft
- Exposure of Sensitive Information
Indicators of Compromise
Domain Name
- lalindustries[.]com
- canarytokens[.]com
- advanceorthocenter[.]com
IP
- 95[.]181[.]161[.]81
- 185[.]183[.]97[.]25
- 178[.]32[.]30[.]3
MD5
- 5f71191ca2aff4738d9ca86e884e9afa
- b3504546810e78304e879df76d4eec46
- 6cef87a6ffb254bfeb61372d24e1970a
- b0ab12a5a4c232c902cdeba421872c37
- e182a861616a9f12bc79988e6a4186af
- bb9872bb18840b7e8a887b3be3b621c6
- 72e371542ad6fda96bb3fc3b1ee68d92
SHA-256
- fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f
- f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
- 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
- 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
- c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
- 6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4
- ef385ed64f795e106d17c0a53dfb398f774a555a9e287714d327bf3987364c1b
SHA-1
- fa73bee345b6f5d214917b5425bb2a6bd9b45de7
- d02d93b707ac999fde0545792870a2b82dc3a238
- e21d95b648944ad2287c6bc01fcc12b05530e455
- a8e7659942cc19f422678181ee23297efa55fa09
- 69840d4c4755cdab01527eacbb48577d973f7157
- 4e68e6daf702c6f8f2a7aed3fb23169f331fd47c
- 3f37ca0db6442743e34768e44450752637930523
URL
- http[:]//lalindustries[.]com/wp-content/upgrade/editor[.]php
- http[:]//advanceorthocenter[.]com/wp-includes/editor[.]php
- http[:]//95[.]181[.]161[.]81[:]443/main[.]exe
- http[:]//95[.]181[.]161[.]81/mm57aayn230
- http[:]//95[.]181[.]161[.]81/i100dfknzphd5k
- http[:]//88[.]119[.]170[.]124/lcekcnkxkbllmwlpoklgof
- http[:]//88[.]119[.]170[.]124/ezedcjrfvjriftmldedu
- http[:]//5[.]199[.]133[.]149/oeajgyxyxclqmfqayv
- http[:]//5[.]199[.]133[.]149/jznkmustntblvmdvgcwbvqb
- http[:]//185[.]183[.]97[.]25/protocol/function[.]php
- http[:]//185[.]118[.]164[.]195/c
- http[:]//178[.]32[.]30[.]3[:]80/kz10n2f9d5c4pkz10n2f9s2vhkz10n2f9/rrvvPu2KXdqEbDpJQ33/
- http[:]//172[.]245[.]81[.]135[:]10196/Geq5P3aFpaSrK3PZtErNgUsVCfqQ9kZ9/
Remediation
- Logging – Log your eCommerce environment’s network activity and web server activity.
- Passwords – Implement strong passwords.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
- not publicly accessible.
- WAF – Set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely. Prioritize patching known exploited vulnerabilities.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner.