Rewterz Threat Advisory – Apache Nutch information disclosure
January 26, 2021Rewterz Threat Advisory – CVE-2021-23965 – Mozilla Firefox code execution
January 27, 2021Rewterz Threat Advisory – Apache Nutch information disclosure
January 26, 2021Rewterz Threat Advisory – CVE-2021-23965 – Mozilla Firefox code execution
January 27, 2021Severity
High
Analysis Summary
An ongoing campaign is identified, targeting security researchers working on vulnerability research and development at different companies and organizations. The actors behind this campaign are attributed to a government-backed entity based in North Korea. They have employed a number of means to target researchers. They established a research blog and multiple Twitter profiles to interact with potential targets. They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control. In mid-June, these threat actors shared via Twitter a YouTube video they uploaded that proclaimed to exploit CVE-2021-1647, a recently patched Windows Defender vulnerability. In the video, they purported to show a successful working exploit that spawns a cmd.exe shell, but a careful review of the video shows the exploit is fake.
The threat actors use social engineering to establish initial communications with targeted researchers and ask if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project. Within the Visual Studio Project would be source code for exploiting the vulnerability, as well as an additional DLL that would be executed through Visual Studio Build Events. The DLL is custom malware that would immediately begin communicating with actor-controlled C2 domains. In addition to targeting users via social engineering, we have also observed several cases where researchers have been compromised after visiting the actors’ blog. In each of these cases, the researchers have followed a link on Twitter to a write-up hosted on blog.br0vvnn[.]io, and shortly thereafter, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server. At the time of these visits, the victim systems were running fully patched and up-to-date Windows 10 and Chrome browser versions. These actors have used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase and email.
Impact
- Data Exfiltration
- System Compromise
- Code Execution
Indicators of Compromise
Domain Name
- www[.]fabioluciani[.]com
- www[.]edujikim[.]com
- www[.]dronerc[.]it
- www[.]de[.]transferwiser[.]io
- www[.]colasprint[.]com
- br0vvnn[.]io
- blog[.]br0vvnn[.]io
- trophylab[.]com
- transplugin[.]io
- transferwiser[.]io
- opsonew3org[.]sg
- krakenfolio[.]com
- investbooking[.]de
- codevexillium[.]org
- angeldonationblog[.]com
MD5
- 7fc2af97b004836c5452922d4491baaa
- f5475608c0126582081e29927424f338
- b52e05683b15c6ad56cebea4a5a54990
- 56018500f73e3f6cf179d3b853c27912
- 9e9f69ed56482fff18933c5ec8612063
SHA-256
- 284df008aa2459fd1e69b1b1c54fb64c534fce86d2704c4d4cc95d72e8c11d6f
- a75886b016d84c3eaacaf01a3c61e04953a7a3adf38acf77a4a2e3a8f544f855
- a4fb20b15efd72f983f0fb3325c0352d8a266a69bb5f6ca2eba0556c3e00bd15
- 68e6b9d71c727545095ea6376940027b61734af5c710b2985a628131e47c6af7
- 4c3499f3cc4a4fdc7e67417e055891c78540282dccc57e37a01167dfe351b244
- 25d8ae4678c37251e7ffbaeddc252ae2530ef23f66e4c856d98ef60f399fa3dc
- c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925
SHA1
- 631adb4cb6433330f3e6dfec4f6c1ea3bfff983c
- 8e88fd82378794a17a4211fbf2ee2506b9636b02
- baf97d3b9095911fb7c9c8d7152fdc32ca7b33aa
- a3060a3efb9ac3da444ef8abc99143293076fe32
- 4ff6c02140ab1daf217b6e01ec042460389e2e92
URL
- https[:]//blog[.]br0vvnn[.]io
- https[:]//www[.]fabioluciani[.]com/uk/comunicati-stampa/graffio-e-gesto-lavabi-in-ceramilux[.]asp
- https[:]//www[.]fabioluciani[.]com/uk/clienti/aston-martin-interiors[.]as
- https[:]//www[.]fabioluciani[.]com/thumb/stthumb[.]asp?image=/uploads/i[.][.][.]
- https[:]//www[.]fabioluciani[.]com/it/index[.]asp?idNewletter=743&idUser=7677&Mailing=Mailinglist1523637408_20180413_DOC_743_8
- https[:]//www[.]fabioluciani[.]com/it/index[.]asp?idNewletter=723&idUser=7677&Mailing=Mailinglist1523361543_20180403_DOC_723_8
- https[:]//www[.]fabioluciani[.]com/it/index[.]asp
- https[:]//www[.]fabioluciani[.]com/it/comunicati-stampa/ivv-un-viaggio-attraverso-gli-anni-60-e-la-natura-[.]asp?idNewletter=773&idUser=4537&Mailing=Mailinglist1527271710_20180525_DOC_773_13
- https[:]//www[.]fabioluciani[.]com/it/comunicati-stampa/casalgrandeantiquewood[.]asp?idNewletter=568&idUser=3709&Mailing=Mailinglist1505380637_20170912_DOC_568_
- https[:]//codevexillium[.]org/image/download/download[.]asp
- https[:]//www[.]edujikim[.]com/web/download/%ED%98%84%EC%9E%A5%EC%B2%B4%ED%97%98%ED%95%99%EC%8A%B5%20%EC%95%88%EC%A0%84%EA%B4%80%EB%A6%AC%EC%82%AC%EC%9E%90%EA%B2%A9%EA%B2%80%EC%A0%95%EC%9A%94%EA%B0%95[.]pd
- http[:]//www[.]edujikim[.]com/FDS/board/8/Manual_5[.]pdf/
- http[:]//www[.]edujikim[.]com/FDS/board/8/Manual_5[.]pdf
- http[:]//www[.]edujikim[.]com/FDS/board/8/Manual_2[.]pdf/
- https[:]//www[.]dronerc[.]it/shop_testbr/upload/upload[.]php
- https[:]//www[.]dronerc[.]it/shop_testbr/localization/dir_photoes/logo[.]php?image=plogo_vp[.]png
- https[:]//www[.]dronerc[.]it/shop_testbr/localization/dir_photoes/
- https[:]//www[.]dronerc[.]it/shop_testbr/localization/
- https[:]//www[.]dronerc[.]it/shop_testbr/Adapter/Adapter_Config[.]php
- https[:]//www[.]dronerc[.]it/shop_testbr/
- https[:]//www[.]dronerc[.]it/forum/forum/categoria-robotica-droni-fpv-e-multicotteri-ad-esclusivo-usoamatoriale/modelli-multirotori-costruzione-e-progettazione/10394-mode1-o-mode-2
- https[:]//www[.]dronerc[.]it/forum/forum/categoria-robotica-droni-fpv-e-multicotteri-ad-esclusivo-uso-amatoriale/fpv-eriprese-aeree/8700-regolamentazione-frequenze-433mhz-900mhz-1-2ghz-2-4ghz-5-8gh
- https[:]//www[.]dronerc[.]it/forum/forum/categoria-robotica-droni-fpv-e-multicotteri-ad-esclusivo-uso-amatoriale/flightcontroller-schede-di-volo-motori-e-regolatori/846940-naza-v2-gps-zaggometry-coordinate-errate
- http[:]//www[.]trophylab[.]com/tMember/membercheck[.]asp
- http[:]//www[.]trophylab[.]com/shopimages/trophy/favicon[.]ico
- http[:]//www[.]trophylab[.]com/shop/shopbrand2[.]asp?tcate=1040
- http[:]//www[.]trophylab[.]com/shop/shopbrand2[.]asp?tcate=10100
- http[:]//www[.]trophylab[.]com/favicon[.]ico
- http[:]//www[.]trophylab[.]com/E
- http[:]//www[.]trophylab[.]com/
- http[:]//trophylab[.]com/customerWebSian/dPage[.]asp?No=8IWCSUY9GY14
- http[:]//trophylab[.]com/customerWebSian/dPage[.]asp?No=12HRIS9L0914
- https[:]//blog[.]br0vvnn[.]io/pages/blogpoxxxxxxxxx
- https[:]//blog[.]br0vvnn[.]io/pages/blogpost[.]aspx?id=2
- https[:]//transplugin[.]io/upload/upload[.]asp
Remediation
- Block the threat indicators at their respective controls.
- Be very careful while interacting with previously unknown people on any platform.