Rewterz Threat Alert – LokiBot – Active IOCs
March 24, 2021Rewterz Threat Advisory – CVE-2021-1431 – Cisco IOS XE SD-WAN Software vDaemon Denial of Service Vulnerability
March 25, 2021Rewterz Threat Alert – LokiBot – Active IOCs
March 24, 2021Rewterz Threat Advisory – CVE-2021-1431 – Cisco IOS XE SD-WAN Software vDaemon Denial of Service Vulnerability
March 25, 2021Severity
High
Analysis Summary
Researchers have been tracking a new campaign distributing the Purple Fox malware. Purple Fox was discovered in March of 2018 and was covered as an exploit kit targeting Internet Explorer and Windows machines with various privilege escalation exploits. However, throughout the end of 2020 and the beginning of 2021, (GGSN) detected Purple Fox’s novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.
Attack Analysis
- The worm payload is being executed after a victim machine is compromised through a vulnerable exposed service (such as SMB).
- The worm payload is being sent via email through a phishing campaign (which could tie the previously published findings about Purple Fox) which exploits a browser vulnerability.
Once code execution is achieved on the victim machine, a new service whose name matches the regex AC0[0-9]{1} — e.g. AC01, AC02, AC05, etc. will be created, the purpose of this service would be to establish persistence and to execute a simple command with a ‘for loop’, the purpose of this command would be to iterate through a number of URLs which contain the MSI that installs Purple Fox on the machine.
Impact
- Gain access
- Exposure of sensitive data
Indicators of Compromise
IP
- 27[.]54[.]248[.]35
- 122[.]246[.]35[.]174
- 211[.]20[.]123[.]130
- 178[.]134[.]41[.]222
- 123[.]146[.]83[.]96
- 183[.]63[.]187[.]31
- 92[.]118[.]151[.]103
- 118[.]186[.]211[.]30
- 183[.]129[.]228[.]12
- 218[.]95[.]37[.]217
- 117[.]184[.]200[.]18
- 211[.]162[.]200[.]22
- 103[.]5[.]126[.]205
- 190[.]60[.]104[.]220
- 103[.]142[.]36[.]16
- 61[.]147[.]116[.]201
- 103[.]73[.]105[.]42
- 117[.]146[.]58[.]170
- 183[.]245[.]31[.]245
- 219[.]128[.]88[.]186
- 82[.]129[.]219[.]101
- 180[.]235[.]121[.]20
- 218[.]95[.]37[.]137
- 122[.]193[.]10[.]180
- 175[.]182[.]236[.]95
- 60[.]255[.]176[.]84
- 222[.]249[.]228[.]37
- 112[.]213[.]126[.]40
- 118[.]67[.]250[.]13
- 121[.]10[.]140[.]176
- 139[.]255[.]199[.]19
- 183[.]128[.]32[.]139
- 156[.]96[.]150[.]92
- 111[.]59[.]140[.]247
- 213[.]91[.]121[.]36
- 107[.]191[.]53[.]95
- 110[.]49[.]95[.]117
- 211[.]174[.]178[.]20
- 192[.]186[.]16[.]180
- 45[.]127[.]186[.]166
- 58[.]216[.]164[.]70
- 168[.]243[.]166[.]19
- 180[.]71[.]139[.]168
- 103[.]107[.]188[.]19
- 163[.]30[.]38[.]135
- 61[.]178[.]29[.]225
- 42[.]180[.]125[.]138
- 192[.]186[.]10[.]235
- 107[.]151[.]144[.]72
- 173[.]244[.]161[.]21
- 192[.]200[.]100[.]13
- 221[.]202[.]75[.]41
- 201[.]116[.]126[.]11
- 114[.]84[.]149[.]81
- 210[.]73[.]222[.]201
- 177[.]74[.]128[.]34
- 220[.]192[.]174[.]16
- 210[.]212[.]237[.]85
- 103[.]92[.]24[.]213
- 202[.]79[.]173[.]98
- 194[.]247[.]42[.]173
- 103[.]224[.]157[.]23
- 120[.]131[.]6[.]197
- 58[.]229[.]194[.]121
- 183[.]131[.]206[.]12
- 103[.]88[.]221[.]123
- 220[.]192[.]46[.]152
- 112[.]31[.]218[.]39
- 180[.]101[.]184[.]60
- 61[.]185[.]216[.]22
- 114[.]198[.]173[.]15
- 222[.]186[.]45[.]68
- 114[.]80[.]108[.]158
- 61[.]129[.]33[.]230
- 60[.]190[.]114[.]207
- 61[.]164[.]161[.]91
- 203[.]128[.]6[.]130
- 46[.]21[.]196[.]181
- 121[.]58[.]249[.]19
- 14[.]152[.]59[.]101
- 211[.]233[.]86[.]211
- 183[.]131[.]222[.]6
- 223[.]112[.]227[.]32
- 113[.]105[.]92[.]174
- 103[.]255[.]178[.]20
- 1[.]179[.]156[.]115
- 103[.]212[.]35[.]252
- 202[.]102[.]249[.]26
- 210[.]245[.]96[.]140
- 178[.]33[.]174[.]45
- 103[.]97[.]125[.]17
- 60[.]19[.]250[.]238
- 115[.]230[.]125[.]10
- 139[.]170[.]8[.]116
- 118[.]123[.]247[.]19
- 117[.]45[.]139[.]163
- 95[.]161[.]197[.]174
- 149[.]28[.]31[.]157
- 173[.]252[.]193[.]17
- 117[.]122[.]219[.]10
- 43[.]250[.]186[.]190
- 45[.]39[.]227[.]234
- 112[.]80[.]41[.]161
- 116[.]211[.]145[.]16
- 60[.]191[.]230[.]14
- 218[.]7[.]208[.]250
- 183[.]134[.]101[.]94
- 222[.]184[.]112[.]24
- 103[.]107[.]188[.]36
- 211[.]152[.]35[.]37
- 218[.]72[.]251[.]19
- 221[.]114[.]210[.]13
- 154[.]81[.]177[.]119
- 123[.]130[.]124[.]77
- 121[.]46[.]239[.]199
- 219[.]137[.]228[.]13
- 46[.]100[.]105[.]108
- 168[.]126[.]149[.]11
- 36[.]92[.]151[.]150
- 123[.]59[.]195[.]34
- 121[.]201[.]65[.]148
- 218[.]22[.]183[.]101
- 209[.]73[.]145[.]226
- 60[.]250[.]110[.]35
- 103[.]107[.]189[.]10
- 211[.]233[.]58[.]154
- 121[.]40[.]131[.]169
- 172[.]252[.]15[.]130
- 58[.]229[.]194[.]122
Remediation
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.