Rewterz Threat Alert – Indicators of Compromise for Multiple Malspam Campaigns

April 19, 2019

Rewterz Threat Alert – Multiple Phishing Campaigns – IoCs

April 23, 2019

Rewterz Threat Alert – MuddyWaters APT Recent Activity and Indicators of Compromise

April 19, 2019

Severity

High

Analysis Summary

Muddy water is a very capable APT group active since 2017, and has recently resurfaced, targeting various organizations. It’s main focus is to target government organizations in the Middle East but it has targeted various organizations in US and Europe as well.

The threat actors dig up actionable information about their targets, meanwhile preferring speed over operational security. The first trace of this threat actor was a public Github repository containing scripts that very closely match those observed in Seedworm operations.

Threat indicators associated with this new campaign are given below.

Indicators of Compromise

IP(s) / Hostname(s)

185[.]117[.]75[.]116

URLs

hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao
hxxp://162.223.89[.]53/oa/
hxxp://162.223.89[.]53/oc/api/?t=
hxxp://162.223.89[.]53/or/?t=

Filename

Missan dashboard.doc
16431.doc
letter-for-Kazakhstan.doc
2-Merve_Cooperation_CV.doc
16431.doc

Malware Hash (MD5/SHA1/SH256)

806adc79e7ea3be50ef1d3974a16b7fb
f12bab5541a7d8ef4bbca81f6fc835a3
072ce8858c7e5b3d71a9fa719613b107
85b3f269251d805d3e2f78d37aeb1744
8899c0dac9f6bb73ce750ae7b3250dbd
bd62f7b1766154cc7adbb6cc42561b8e
b0ab6ce3d044a1339a705f233e113c44a1bced10
c4a5e8e871e5af7a86427b08e383bb2a99fac932
82306e7b75120f97f9a0ba70d334470da79d0c5d
6011b09def7bca520ecad366e3e19d39e80461a4
91ead70b6e7962e73261441bcd4af6b332d88e9d
02fa6dd3df641b1ad18f955f16d1c27aa03c027a
93b749082651d7fc0b3caa9df81bad7617b3bd4475de58acfe953dfafc7b3987
08e256cd2fa027552be253ec3bf427b537977f9123adf1f36e7cd2843a057554
c005e11a037210eb8efe12b8dee794be36151de30b0223f2c9c4b9680cb033c0
925225002364615b964e4e3704876d9b101e4f07169dbb459175248aefb5a0ad
c873532e009f2fc7d3b111636f3bbaa307465e5a99a7f4386bebff2ef8a37a20
2f77ec3dd5a5c8146213fdf6ac2df4a25a542cbd809689a5642954f2097e037a
44912475958d7d3323633836fe62d41c
febf7d5f01d8ddd584ae3b9f051f6338
50a538062f2027b6ff763f23bc3d1545
e01d827d139bb933e34c7a35660b8728
108133793259efe042b82cb68c6221f4dfc107ac
387c5a965e94a56041af4de2acd01a50f4842c21
0a5bc1ca95a91c6a12f112abed34767d73e7e9fe
8635f311aa2a62844e70d49901067d8fbfedcf11
68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd
ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3
4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352
6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe
c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15
0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4
1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f
144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971

Remediation

Block threat indicators at their respective controls
Never click on links/ attachments sent by unknown senders
Always scan downloaded files prior to execution.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – Agent Tesla Malware – Active IOCs

Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs

Rewterz Threat Advisory – CVE-2023-40363 – IBM InfoSphere Information Server Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us