Rewterz Threat Alert – Bitter APT Group Targeting Nepal Military Officials – Active IOCs
March 4, 2022Rewterz Threat Alert – APT Group Gamaredon – Active IOCs
March 4, 2022Severity
High
Analysis Summary
Our security analysts have discovered a new phishing campaign targeting banks in Pakistan. These phishing emails are invoice themed and contain malicious links/files. The email uses the subject Re: 1LINK – Withholding Under KP Sales Tax on Services Special Procedure (Withholding) Regulation, 2015 (Now 2020), to create an urgency to trigger user response, as users will presume this to be a legitimate email and would immediately take action.
Please note that some of these indicators may not be flagged as malicious yet or haven’t been detected on VirusTotal. However, users are advised to take necessary preventive actions as per the legitimacy of the threat and source.
Impact
- Credential Theft
- Business Email Compromise
Indicators of Compromise
IP
- 209[.]15[.]236[.]39
- 195[.]154[.]253[.]60
- 139[.]180[.]205[.]161
- 217[.]182[.]143[.]207
MD5
- 045FFA43679EA6A0F993B25A8B70C312
- E8458CF42351D29C3EA007F8B3AD9648
SHA-256
- F7C7AEA95E7D8A20DF05315F6524FEEB115A721BBEFF7DDF2D165B46CDCCBCA9
- 43F9168161449B2D3182F4A7EF36B40E46E985856BDFC9019F8EA750F8AB3405
SHA-1
- AAE1DD5CC1BFCC7FB7494D0B7BC43F93339374D0
- C2D089811CEECBE68264B207909054BCA81DF649
URL
- https[:]//goglobetravel[.]com/wp-admin/1O1Tjr9nHBV/
- http[:]//209[.]15[.]236[.]39[:]8080/RAlqJpRsCOeUqM
- https[:]//139[.]180[.]205[.]161/DcHLMdCPtd
- http[:]//195[.]154[.]253[.]60[:]8080/MjszVKMWnuU
- https[:]//217[.]182[.]143[.]207/QfSyRQSsbaSHFPEnnUKqNXslfhY
Remediation
- Block the threat indicators at their respective controls.
- If a security alert email looks very legitimate, do not respond to it without confirming legitimacy from network administrators.
- Search for IoCs in your environment.