Rewterz Threat Alert – Bitter APT Group – Active IOCs
January 4, 2022Rewterz Threat Alert – APT MustangPanda – Active IOCs
January 4, 2022Rewterz Threat Alert – Bitter APT Group – Active IOCs
January 4, 2022Rewterz Threat Alert – APT MustangPanda – Active IOCs
January 4, 2022Severity
Medium
Analysis Summary
This sophisticated attack delivers the Purple Fox Rootkit by dividing the attack process into multiple separate stages that are useless unless the entire file set is present.
- A malicious script “Telegram Desktop.exe” is an Autolt script which runs to create a new folder “TextInputh” that drops a malicious downloader with the same name.
- Then TextInputh.exe creates a new folder 1640618495 the video directory that contacts the C&C server to download two files:
- 1.rar
- 7zz.exe
- TextInputh.exe executes the ojbk.exe that runs with the “-a” argument to load the malicious 360.dll file.
- Next the svchost.txt runs to drop five more files:
- Calldriver.exe
- Driver.sys
- dll.dll
- kill.bat
- speedmem2.hg
- These files work together to shut down and block 360 AV processes from the kernel space. This later installs the Purple Fox Rootkit.
Following information is gathered by the malware and sent to the C&C:
- Hostname
- CPU – by retrieving a value of HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ ~MHz registry key
- Memory status
- Drive Type
- Processor Type
The Purple Fox payloads are downloaded and executed next.
Purple Fox Rootkit File Creation Flow from Minerva Labs
Impact
- Gain Access
- Exposure of Sensitive Data
Indicators of Compromise
IP
- 193[.]164[.]223[.]77
- 144[.]48[.]243[.]79
MD5
- ed1b74827b64fc8913af19b1b745ad1a
- c398b504f74500d6a1a47f72bb45bc83
- b947575d0cd7e171bdd38b89b38084da
- 7c728bdeba5659be53cf9ef243b1902e
- 96187e12ed4a6f4306516b48634c0926
- 50d39beb37c8bec70015a8fd1414b867
- 963a8b3d307992b6e623ff39e34e6a4c
- 7c074b14a54f7b3846e51cfca778f66f
SHA-256
- 41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1
- bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0
- 797a8063ff952a6445c7a32b72bd7cd6837a3a942bbef01fc81ff955e32e7d0c
- 26487eff7cb8858d1b76308e76dfe4f5d250724bbc7e18e69a524375cee11fe4
- b5128b709e21c2a4197fcd80b072e7341ccb335a5decbb52ef4cee2b63ad0b3e
- e2c463ac2d147e52b5a53c9c4dea35060783c85260eaac98d0aaeed2d5f5c838
- 638fa26aea7fe6ebefe398818b09277d01c4521a966ff39b77035b04c058df60
- 4bdfa7aa1142deba5c6be1d71c3bc91da10c24e4a50296ee87bf2b96c731b7fa
SHA-1
- 4628df1e4771b8566565e6879a4dfbfdb82616ed
- 05a33dbc4b239580748570b6d87a680c61102a11
- e59180bc09cb85a3dbe7aa8d92ef45a8c746adf6
- bdd481fbf10b46c8cc6c29d84bdd8a06a33611bc
- c92e2310328c56268ec8d0630e0f4177f71cec41
- ef6f226412e67e65166df0ce36fd7a661838fb8a
- 750ea11a6cc6cbfdcad22c9eb2d63286608dac87
- 78647b1f0fdc544f512b9cf8aa65198e309a9afd
URL
- http[:]//193[.]164[.]223[.]77[:]7456/h?=1640618495
- http[:]//193[.]164[.]223[.]77[:]7456/77
- http[:]//144[.]48[.]243[.]79[:]17674/C558B828[.]Png
Remediation
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.