Rewterz Threat Alert – APT Group Gamaredon – Active IOCs
December 10, 2021Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs
December 10, 2021Rewterz Threat Alert – APT Group Gamaredon – Active IOCs
December 10, 2021Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs
December 10, 2021Severity
High
Analysis Summary
PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, and The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against Asian countries especially against China and Pakistan. Threat actors are now targeting army officials in Pakistan in a series of spear phishing campaign that is impersonating as a Defence Housing Officers Society and dropping a backdoor when enabling the macros with a .Net vulnerability (CVE-2017-87592) a code injection vulnerability which can lead to remote code execution without user interaction if exploited correctly on a vulnerable machine. This vulnerability is generally used to deploy spyware to steal information from the victim’s machine for later gains and use against the victims.
Impact
- Information theft and espionage
Indicators of Compromise
Filename
- EOIForm[.]rtf
MD5
- c82823618b6d13d6540caecb4aef97bb
SHA-256
- 5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6
SHA-1
- 021ea88ee2c5a3dd16c7dc2dd703c0850cc18f83
URL
- https[:]//karachidha[.]org/docs/EOIForm[.]rtf
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Do not download files attached in untrusted emails.
- Do not enable macros for untrusted files.
- Never click on link/attachments sent by unknown senders.