Rewterz Threat Advisory – Multiple IBM Cognos Analytics Mobile for Android Vulnerabilities
February 15, 2022Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
February 15, 2022Rewterz Threat Advisory – Multiple IBM Cognos Analytics Mobile for Android Vulnerabilities
February 15, 2022Rewterz Threat Alert – APT32 Ocean Lotus – Active IOCs
February 15, 2022Severity
High
Analysis Summary
Threat actors disguised their malware as a Windows 11 Upgrade to lure victims into a social engineering trap. The disatributed malware is Redline stealer.
Redline is an info stealer malware that steals information from web browsers and has the ability to corrupt operating systems by installing harmful software.
It steals user information from browsers, instant messaging applications, and file transfer protocol clients. According to the Proofpoint analysis, the malware first appeared in March 2020. Redline expanded throughout several nations during the COVID-19 epidemic and is still active today. Passwords, credit card information, cookies, usernames, locations, autofill data, and even hardware configuration such as keyboard layout, UAC settings can be stolen by RedLine. RedLine is also capable of stealing cryptocurrency. This malware is a live campaign that is aimed at a variety of Asian organizations.
Fake Windows 11 website hosted on windows-upgraded[.]com. from HP
Impact
- Credential Theft
- Unauthorized Access
Indicators of Compromise
Domain Name
- windows-upgraded[.]com
- discrodappp[.]com
IP
- 45[.]146[.]166[.]38
MD5
- 132b1d6688a4c858e3bfcbd8a699b01a
- e1e06982d2df5dfc0601c0c22f04fa5c
- 5a8a76c88fbee181b32d9b7f67af8961
- 6dfa84ac778aa418adcb649651d17ccd
SHA-256
- c7bcdc6aecd2f7922140af840ac9695b1d1a04124f1b3ab1450062169edd8e48
- 4293d3f57543a41005be740db7c957d03af1a35c51515585773cedee03708e54
- 7d5ed583d7efe318fdb397efc51fd0ca7c05fc2e297977efc190a5820b3ee316
- 6b089a4f4fde031164f3467541e0183be91eee21478d1dfe4e95c4a0bb6a6578
SHA-1
- 14825027a451f15d027bc3c3967f3f70073170eb
- d0728a1a3f67e069d0c955c099ab00144d0116a1
- 477982363ed8f5cb145a301f844e75495d5f7d8d
- 746d1419c16b8aa6e3eca6d3fa6c3ae36b67f702
URL
- http[:]//81[.]4[.]105[.]174/win11[.]jpg
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links sent by unknown senders.