Rewterz Threat Update – LAPSUS$ Group’s Latest Activity
March 22, 2022Rewterz Threat Advisory – Multiple VMware Carbon Black App Control Vulnerability
March 24, 2022Rewterz Threat Update – LAPSUS$ Group’s Latest Activity
March 22, 2022Rewterz Threat Advisory – Multiple VMware Carbon Black App Control Vulnerability
March 24, 2022Severity
High
Analysis Summary
Sidewinder APT
Sidewinder is a suspected Indian threat actor group that has been active since 2012. They have been observed attacking political, military, and corporate organizations throughout Asia, with Pakistan, China, Nepal, and Afghanistan being the most common targets. RAZOR TIGER, Rattlesnake, APT-C-17, and T-APT-04 are some of the other names for Sidewinder APT. This APT has been targeting Pakistani government officials with a decoy file related to NTC (National Telecom Corporation) in its most recent effort. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. Sidewinder was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
Lazarus APT
Lazarus APT is one of North Korea’s most sophisticated threat actors, operating since at least 2009. Initially, they concentrated on South Korea. It has recently shifted its focus to worldwide targets and began initiating assaults for monetary gain. This actor has been linked to attacks in South Korea, the United States, Japan, and a number of other nations. Lazarus APT is suspected of being behind a number of diverse efforts, including cyberespionage, attacks on financial institutions, government agencies, and the military.
This group is said to be behind the wiper attack on Sony Pictures Entertainment in November 2014 as part of Novetta’s Operation Blockbuster campaign. Lazarus Group’s malware is linked to other known campaigns such as Operation Flame, Operation Troy, DarkSeoul, Operation 1Mission, and Ten Days of Rain.
Gamaredon APT
Gamaredon is a Russia-backed advanced persistent threat (APT) that has been operating since at least 2013. The main goal of this APT is to use the malicious document to gain control of the target machine. The exploit document uses the template injection technique to infect the victim’s computer with further malware. When the document is opened, it connects to the hacker’s server and downloads the payload file. Gamaredon’s tools are simple and designed to collect sensitive information from hacked systems and propagate it further. Its information-gathering efforts are nearly comparable to those of a second-tier APT, whose primary purpose is to collect and disseminate information with their units.
Donot APT
Donot APT group has been actively dropping malicious samples and targeting Government users to exfiltrate data. The group has previously been active in the past and has now again shifted its focus to phishing campaigns. The group has a history of attacking Pakistani government officials and military personnel and has been linked to India. They previously targeted Pakistani users with android malware named (StealJob) was used to target Pakistani android mobile users by Phishing on the name of “Kashmiri Voice” The attackers hunt for confidential information and intellectual property. The hackers’ targets include countries in South Asia, in particular, the state sector of Pakistan.
MuddyWater APT
APT MuddyWater – an Iran-based APT – has been operating since at least 2017. This APT group utilizes the common but efficient infection vector, spear-phishing, to perform their tasks. It has mostly targeted countries in the Middle East but also affected countries in Europe and North America. The majority of the group’s victims are in the telecoms, government (IT services), and oil industries. This group’s activity was formerly related to FIN7, however, it is now regarded to be a separate entity driven by espionage.
MuddyWater’s majority of attacks are based on social engineering. It lures its victims into activating macros so that would infect the targeted workstation. Once macros were turned on, the threat actor’s code would try to download a trojan from an adversarial payload command and control node.
According to U.S. and U.K. federal agencies, MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s Ministry of Intelligence and Security (MOIS), targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.
Bitter APT
APT-17 group aka BITTER APT group has been recently active and targeting sectors in South Asia for information theft and espionage. This group has a history of targeting Energy, Engineering, Government in South Asia. Spear phishing emails have been the main strike force to target their victims and they’ve been doing it for years now. Many BITTER victims have been exploited through relatively popular Microsoft Office exploit, in order to download and execute a RAT binary from a website. Although the attack vector of this sample remains unknown of yet, this is an indication of their presence again in the South Asian region.
Exploit-in-the-Wild
CVE-2022-22584
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS ColorSync. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. A specific flaw exists within the parsing of ICC images. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process.
Impact
- Information Theft and Espionage
- Exposure of Sensitive Data
- Exfiltration Of Data
- Information Loss
- Unauthorized Access
- Financial Loss
- File Encryption
Indicator Of Compromise
Domain Name
- deathstroke[.]xyz
- pmo[.]nationalhelpdesk[.]pk
- sngpl[.]org[.]pk
Filename
- Nepal Army Day Invitation[.]docx [.]chm
- Chart[.]xlsx
- Delegation Visit Details March 2022[.]xlsx
- Utensils List(1)[.]doc
- FOCUSED TALK ON RUSSIAN UKRAINE CONFLICT[.]docx
IP
- 3[.]37[.]215[.]204
- 18[.]229[.]249[.]186
- 52[.]79[.]102[.]70
- 16[.]162[.]223[.]161
- 95[.]179[.]160[.]235
- 45[.]76[.]84[.]233
- 209[.]197[.]3[.]8
MD5
- a23ed54ce55c04307a5c6df0325bd9a7
- 2a340b72e16fb1ece13d7f553ec3c266
- 1f2ba324c566ba1f29e94971bc1034c8
- f45f45a5ee8b4d31188139c1976167b2
- 2454a5b5f7793d372c96fd572c1de2cc
- ddefdb9e3b7612bb9caf036a8a847742
- e3d77259a1450aa537cea834fb15e7dc
- 17f2f054205849b71cec3258709afd83
- c8e1010b7ee1647b582048bfd67a9e0e
- 04effbbd901879abcd2834e530d5e9ad
- 7bcdef8e11c27e65e7016d145a24d195
- 6162005b9ae5d4a8070bfe5f560b0912
- c19201cbd7ad2221844268c0ba694a3a
- 277955afbf4ca44a018961f66a603f82
- bbc955b1289b4f90fdfb8906606597e9
- df648ccd3b842ce0128318629b5cbd0d
- e1f97c819b1d26748ed91777084c828e
- 887f345dce4426b9c841c7fde581b18f
- 69ff29b86ab5444197aeb0cf5eba0967
- 5f71191ca2aff4738d9ca86e884e9afa
- b3504546810e78304e879df76d4eec46
- 6cef87a6ffb254bfeb61372d24e1970a
- b0ab12a5a4c232c902cdeba421872c37
- e182a861616a9f12bc79988e6a4186af
- bb9872bb18840b7e8a887b3be3b621c6
- 72e371542ad6fda96bb3fc3b1ee68d92
- 15fa3b32539d7453a9a85958b77d4c95
- 5763530f25ed0ec08fb26a30c04009f1
- ef5017d8e7724f73d370e1b77d276d3c
- 9651c8d7fc951e1e02a0149c9d07ed88
- f9166fae86607ec2f84b02cea5c766b2
- 2f075bfa93c839b59929ec32fbce0146
- 98a49e7c2c303f1eef20b8023dc8c543
- cd73621d52d0c17849cfff55b67961de
- d06c413d0441be3b716434e1e069c3a5
- a42c536aa7ff89e88f70f4a038fbf61f
- 8b710b4064acced022243b60387c7ee5
- 5d716d5cd77f1d1639104b7407317c5e
- bb1c8ad9f422a39ce6329e93dc060438
- 64471311697db4541e0bf30cc16fbbc8
SHA-256
- eaa013b863bda3bd76c6f6073cc304002d1a9f317c8fba9c362534aff7dd1b0b
- e4545764e0c54ed1e1321a038fa2c1921b5b70a591c95b24127f1b9de7212af8
- b73638a6581af3c173fb0d6214fd881ed131e8f7884c1be297c80ecba5989bd4
- ec9e656a7ef5791cc4f86d17140dd012a5154cd83419669e43785b6370a00b70
- 90fd32f8f7b494331ab1429712b1735c3d864c8c8a2461a5ab67b05023821787
- 38be2f68bf3076d4549bb419d65ac55daba8ead4cc0ab954f6d0fc1aa42f534a
- 69d3b199547198bbbc397a0980274df00c1eda6b631a19552324ec37ccb36718
- 2d6ced810b45358b89ee180f69697569723f54d28872e4d4451766407295d59b
- 1a9d8b16ef6132884161bd820fe24cbfc8dc9514c3b31d7eacf4de707899dd6a
- f7eb8fdb6eabb2fb64314c898c621c4aedb8c167c50bd62ad799fa2c0bc306b6
- 5e1ac5f28b37afc3b2a1902ee7c68485b3fcc55d648ff9e5309646a77ff53882
- d8aa512b03a5fc451f9b7bc181d842936798d5facf1b20a2d91d8fdd82aa28b7
- f44fd723398e148f7d437d22a417fd5b4c4f835a7b5a7c1624706e942320afa4
- 319bd26ad751a79b1b1c474749d3d856277b712f1eca3b1a88a8605a8f2facaf
- f765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca
- 7de663524b63b865e57ffc3eb4a339e150258583fdee6c2c2ca4dd7b5ed9dfe7
- ed988768f50f1bb4cc7fb69f9633d6185714a99ecfd18b7b1b88a42a162b0418
- a500e5ab8ce265d1dc8af1c00ea54a75b57ede933f64cea794f87ef1daf287a1
- cc67e663f5f6cea8327e1323ecdb922ae8e48154bbf7bd3f9b2ee2374f61c5d6
- fb69c821f14cb0d89d3df9eef2af2d87625f333535eb1552b0fcd1caba38281f
- f10471e15c6b971092377c524a0622edf4525acee42f4b61e732f342ea7c0df0
- 4b2862a1665a62706f88304406b071a5c9a6b3093daadc073e174ac6d493f26c
- 026868713d60e6790f41dc7046deb4e6795825faa903113d2f22b644f0d21141
- c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49e
- 6e50e65114131d6529e8a799ff660be0fc5e88ec882a116f5a60a2279883e9c4
- ef385ed64f795e106d17c0a53dfb398f774a555a9e287714d327bf3987364c1b
- b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054
- bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2
- 56accd171cdf414471a13198890d0e069c03d41a23a2ba9be1ad2198eb2137d3
- fa26fe1eb2c25d4f104febdf0df061b0807e7f70eecf74c7583e72a7bd6c07bb
- c577bbdfec7983aed227f3079c19f1a6b5680fd3cee278ee0af419b56ea5d14c
- 0e592e24593e064f0f4fd3c619807a5e4f176b13be552b01b99ed331ffb55e6e
- 3d5071deb287620ad6142ab63dc97c44a1f7cb6b4b4ac51cb68d08907664514c
- 3213c5e1427eec00eb33a97e806c147b838d9ef93b8be4f4d4ac98164fd08615
- 42fbc48e1e604605d19cca5c1472ce46e6c6f4cd8fea11880a7c61e7131f4860
- 64223dc258e6687064bbf25527b78e0979d6f13bc8e8669ed0b33dfe43ce9f99
- 7e11c1245e6931ba88c4141f92ef0084aea225f7060a6f84b42de604497973c2
- 9ae94313c293975cc4e6d00ba00739c1c17c079d5e0e11bb74637f349e3c9b57
- 8db529765e5df53e6c9f2614f21b4233fe43714f3438a4a7ec04e454c3662ab1
- ee08d18162a1fbccc3fad7bcd72143d07fa9613528fa4915b137746a04872e98
SHA-1
- 0d6ff31bc473216220bc15ce0f3e892f1b930b02
- 7a94a3dcd68792877a4ca8747e23ec084b12da16
- 7f7139a9a0d437e8876520913a188321ba1c647c
- 0a71ccacab3d5f66730791ecbe4e2030e8a21a89
- bcd7a2191af9ddb1bd627e36a55fc55680e36f51
- 2cf219b4500ac6d85096f09c40c281c30db6abf0
- 14d04778acf613b41e6cc1930b3357cb53ef0ec2
- 632df000e8f49c5a90570defd4831c7a52645f72
- 2a71114f70b711da6b46e2e35562e4326e09d8bc
- a683f08912a3c845f0360f52a399f1774f9158c2
- c15a35dfbae4789b62b88ab268c5849255837edd
- b4928e4c3a8787e0461e2e78138091134c7f719a
- 3669f18e92eed9f4a0a8ee3df284798ff7a7a232
- d3862d50c36d03bab2d6b3f78c17f2fdd0704451
- 6811b418c052baec7e74260e36e6e3cd34b202b0
- eae3b67508ac5df766609f1630b615c0110cd6fe
- 4209a007fcf4d4913afad323eb1d1ae466f911a6
- 59ae2ee86e7f9f90fc3c5737355e88b59b00fa2a
- 4808cae5e9684e691490a652a93a56005d603643
- fa73bee345b6f5d214917b5425bb2a6bd9b45de7
- d02d93b707ac999fde0545792870a2b82dc3a238
- e21d95b648944ad2287c6bc01fcc12b05530e455
- a8e7659942cc19f422678181ee23297efa55fa09
- 69840d4c4755cdab01527eacbb48577d973f7157
- 4e68e6daf702c6f8f2a7aed3fb23169f331fd47c
- 3f37ca0db6442743e34768e44450752637930523
- 11d594f3b3cf8525682f6214acb7b7782056d282
- 2a6ddf89a8366a262b56a251b00aafaed5321992
- a692f14fce189d2cc13e9cd85155cacba620cdd5
- 4512c9d2aeebc1e135f0be0ab3bb148b0421ab53
- f6cd63f1e230d999274fe6a09dc2687dd120f7f6
- 9127e5186d3f7767184164bdddf72100775bc3e2
- e5236411b77e039e9635cc8e7d34cc7c5aaf3c05
- 9942cfc5c6ead24763c5b151b2af71d0e5c8b7df
- 74ee6fe6bff7f6c04c75fd8c70c197331069de11
- bbe0b91b448de10fd1bb49e82130d8d92692eb63
- afeeaacd0e54ebe85b721d2905037af606f8f752
- 13381c689a23b30599bcffa196700648fda06418
- 7fd965600402cd75f8963993a7df95b5b7b3031a
- f8a06fd1061e176712669cfaafbd7fbcee274ca0
URL
- http[:]//pns[.]org[.]pk/crt/xe
- http[:]//subscribe[.]tomcruefrshsvc[.]com/VcvNbtgRrPopqSD/SzWvcxuer/userlog[.]php?id=WORK&&user=admin&&OsI=
- http[:]//deathstroke[.]xyz/WRLm4mYD0p6iWCta/CoETln2BYtPHtY9W[.]php
- https[:]//mail[.]hitt[.]pkgov[.]org/
- https[:]//maritimepakistan[.]kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file[.]rtf
Remediation
- Logging – Log your eCommerce environment’s network activity and web server activity.
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets.