Rewterz Threat Advisory – CVE-2022-22374 – IBM POWER9 Vulnerability
March 28, 2022Rewterz Threat Alert – Energetic Bear APT Group – Active IOCs
March 28, 2022Severity
High
Analysis Summary
Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. A new korplug variant has been discovered by researchers named “Hodur.” The variant is being spread by Mustang Panda. Mustang Panda has been taking advantage of the recent Russian Ukrainian geopolitical situation for phishing lures. The campaign has been ongoing since at least August 2021. ISPs, research entities, and European diplomats are targeted by the threat actors. Anti-analysis techniques are used in every stage of the deployment. Control flow obfuscation is also utilized at every stage. The filename used by the threat actors recently is “Situation at the EU borders with Ukraine.exe.” Mustang Panda targets East and Southeast Asian countries.
“Mustang Panda’s campaigns frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and Korplug (also known as PlugX).” – Researchers.
Impact
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- upespr[.]com
- urmsec[.]com
- zyber-i[.]com
- locvnpt[.]com
IP
- 103[.]79[.]120[.]66
- 107[.]178[.]71[.]211
- 156[.]226[.]173[.]23
- 45[.]154[.]14[.]235
- 92[.]118[.]188[.]78
MD5
- 12aa335ef324df213571a24ad38c3199
- 8fbad6e5aa15857f761e6a7a75967e85
- bd43933d60913e2f633bf029ff0120db
- 8ff41ca8ff54542f43ad9648ad4f3286
- d91655915849a6451b54a1c7a4aba8b4
- 6a2b0d57bcc6dabd986e553dc1a892ef
- 54d4fee3384c0595decb189b62712591
- 3c6173d8693510f6363b608c09feebb1
- 40876d28457f5efd3367f963542a8b8b
- b17619b7f6e607e4ceea4139a08897b7
- 3c99e3522923b6ec94093e04b7e13fa5
- 01d8305b91524d83ccf2c26c1b3b7f1f
- 560110e4905c606d32d2f4164bc84dab
- 7e05d4944026e5b2198563d0a6a0bd53
- d7ac2c6987f31219b9e5c86d85e66bfa
- 6f207612d5d594e50cb1f624de3323aa
SHA-256
- 3d2e685b0a92195eb6bd92ca291476fd9d30c86fca7bb6aa1e8cedcb05d7edd5
- ff72ad387dfc07eaf411e6d343b74f87b14758c6bd433858cfde8b7bcb4f1ade
- 9610cbcd4561368b6612cad1693982c43c8d81b0d52bb264c5f606f2478c1c58
- 48e37bb7e1ac185d314f262894014e1337a3c14455cd987dd83ac220bae87b3a
- 61b3c3ef4793a5c478bf97bdf0d992de257ea0f7e1d260075ce8b3f40f0de3cc
- 5313202244d93a595c8efa11cb01515bfffc686c60aa010822f353d5ca233170
- 26f802348d747b4e70033336e4ea249ed81dbf0509edf900f56a7c05207764ea
- 5851043b2c040fb3dce45c23fb9f3e8aefff48e0438dec7141999062d46c592d
- 39e58cd6d6b491d01f2691338103b688a36add271ea94fab8e99a8742ec1d9dd
- 5a2190b597ac0f5990276ef80c2d0a1ad2b6ec73a299855660742adbecebf5b2
- 39f9157e24fa47c400d4047c1f6d9b4dbfd067288cfe5f5c0cc2e8449548a6e8
- 1b520e4dea36830a94a0c4ff92568ff8a9f2fbe70a7cedc79e01cea5ba0145b0
- b4c056cd5668b82539faef8c58c3203dc4f5aae0c1b6bc6d23a9ac8bb1ab735a
- 906068fdc794387b855a5d8284eac0df905db8625b1ba4b34dd679a9400460c8
- 44c4e1ef6b7a22477310276bdb85ce260bf3bd9cccf781be8846afa6fc5e4ee2
- 68d196a504b09a32dbe07f4c85608650019a549e08ce3881862f6aa71d223e8c
SHA-1
- 69ab6b9906f8dce03b43bebb7a07189a69dc507b
- 4ebfc035179cd72d323f0ab357537c094a276e6d
- 7992729769760ecab37f2aa32de4e61e77828547
- f05e89d031d051159778a79d81685b62aff4e3f9
- ab01e099872a094dc779890171a11764de8b4360
- cdb15b1ed97985d944f883af05483990e02a49f7
- 908f55d21ccc2e14d4ff65a7a38e26593a0d9a70
- 477a1ce31353e8c26a8f4e02c1d378295b302c9e
- 52288c2cdb5926ecc970b2166943c9d4453f5e92
- cbd875ee456c84f9e87ec392750d69a75fb6b23a
- 2cf4bafe062d38faf4772a7d1067b80339c2ce82
- c13d0d669365dfaff9c472e615a611e058ebf596
- 2b5d6bb5188895da4928dd310c7c897f51aaa050
- 511da645a7282fb84ff18c33398e67d7661fd663
- 59002e1a58065d7248cd9d7dd62c3f865813eee6
- f67c553678b7857d1bbc488040ea90e6c52946b3
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.