November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Informative Update – Bitcoin Mining Pool BTC.com Lost $3M Worth Of Cryptocurrency In Cyberattack
December 28, 2022Rewterz Threat Advisory – ICS – Rockwell Automation Studio 5000 Logix Emulate Vulnerability
December 29, 2022Rewterz Informative Update – Bitcoin Mining Pool BTC.com Lost $3M Worth Of Cryptocurrency In Cyberattack
December 28, 2022Rewterz Threat Advisory – ICS – Rockwell Automation Studio 5000 Logix Emulate Vulnerability
December 29, 2022
Severity
High
Analysis Summary
Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine. The exploit document uses the template injection technique to infect the victim’s computer with further malware. When the document is opened, it connects to the hacker’s server and downloads the payload file. Gamaredon’s tools are simple and designed to collect sensitive information from hacked systems and propagate it further. Its information-gathering efforts are nearly comparable to those of a second-tier APT, whose primary purpose is to collect and disseminate information with their units. The Gamaredon APT group’s current attack leverages a decree document from the Russian Federation government as bait. In July, this APT group targets Ukrainian entities with PowerShell info-stealer malwar dubbed GammaLoad.
Impact
- Template Injection
- Sensitive Data Exposure
Indicators of Compromise
MD5
- a8484b0d0171f2fd759ce4a8e024a81e
- 341879622d76cdb6a8fc2c73e4313783
SHA-256
- f119cc4cb5a7972bdc80548982b2b63fac5b48d5fce1517270db67c858e9e8b0
- 50733868622234239cedcaaf56a6a980d4caf95e0122ffdfbef1c8f4e0ed0006
SHA-1
- 7045ae0346675a4930cd00358946b3621296ccf2
- c69b06e9d62bd142884b384626cec599656edf8a
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.