Bitter APT – Active IOCs
August 14, 2024RedLine Stealer – Active IOCs
August 14, 2024Bitter APT – Active IOCs
August 14, 2024RedLine Stealer – Active IOCs
August 14, 2024Severity
High
Analysis Summary
Earth Baku, a threat actor with Chinese support, began targeting Europe, the Middle East, and Africa in late 2022, expanding its reach outside the Indo-Pacific area.
Italy, Germany, the United Arab Emirates, and Qatar are among the most recent targets of the operation; suspected attacks have also been found in Georgia and Romania. The sectors targeted as part of the incursion set include government agencies, media and communications, telecom companies, technology, healthcare, and educational institutions.
In more recent campaigns, the threat group has changed its tools, techniques, and procedures (TTPs), using publicly accessible programs such as IIS servers as attack entry points before deploying advanced malware toolsets on the victim's system, according to the researchers. The results expand on earlier research from Google-owned Mandiant, which also described how threat actors used malware families like MoonWalk (also known as DUSTTRAP) and DodgeBox (also known as DUSTPAN). They go under the names StealthReacher and SneakCross.
As early as October 2020, Earth Baku, a threat actor connected to APT41, was reported to be using StealthVector. Attack chains leverage publicly accessible applications to dump the Godzilla web shell, which is subsequently used to deliver further payloads. Classified as an improved variant of the backdoor loader StealthVector, StealthReacher is the one who launched SneakCross, a modular implant that is most likely the next big thing after ScrambleCross and uses Google services for its command-and-control (C2) connection.
The usage of additional post-exploitation tools like iox, Rakshasa, and Tailscale, a Virtual Private Network (VPN) service, are also characteristics of these attacks. MEGAcmd is a command-line tool that is used to exfiltrate sensitive data to the MEGA cloud storage service. To covertly launch backdoor components, the group has included SneakCross as their most recent modular backdoor. They have also used new loaders including StealthVector and StealthReacher.
Impact
- Data Exfiltration
- Sensitive Data Theft
Indicators of Compromise
Domain Name
- mircoupdate.https443.net
- track.cdn78544.ru
IP
- 5.182.207.28
- 78.108.216.20
- 212.87.212.115
MD5
- f42867e74bbc41767bffacc0de7bfa5e
- 5a1987c2869cb2d8c443fb4512361451
- e9625ce47b87085b66e0ee6e17ecb333
- bc85062de0f70afd44bb072b0b71a8cc
- 85d0b0a1e06a701e87bf00a5227d981e
- ee7faba27a2c5f7acb5b06e94aa318e0
- 72070b165d1f11bd4d009a81bf28a3e5
- f0953ed4a679b987a2da955788737602
- 277f4c22e07449f418ccdbb5973e37c3
- 571767b9fec7cf8df3617ea3f185512c
- f062183da590aba5e911d2392bc29181
- 28e01e0e53585ecf68b47f1b2f5bfd33
- e98b9e21928252332edf934f3d18ac21
SHA-256
- 7e63c6b9ab3b32beffbc1eb23d6ca7cc59616b0722f0dd4f0d893c0a1724f5d7
- 8405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc
- a50f85c71b69563ba42bf04c937e1063244ca4957231d3adac76f1c96ab42d3c
- ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf
- ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74
- 73eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5
- 0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0
- 1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3
- 3e52c310c6556367ff9e18448bc41719e603d1cbbdafdcba736c6565529617b6
- 07aa971f0791b06dd442d4c7a49c1d3d27a1cbb16602f731e870b5ef50edf69e
- 166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107
- 21fc0f50d545c0a373380934dc61c423c8a31d8c3e6eae4f8a35149ad9962d88
- 7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a
SHA-1
- 13c1c6752006667697cd4f72a2f1b8616af2b60e
- 57a3fadcbc2ce9ddc362707dd35701f6bebc31a4
- 8d8161a7fcd835781820e4921039525975f9324d
- 66fb63e6e49c2c201a0b6204e1d0269812a4b662
- cffd1a3dcb04f437dd19892ef5684deff7b1961a
- 144550355b3dfb67a0ef65dc7f69470b4faf4ca1
- 3872c38625ca62de3bcbe29740c1a0b8921fcf48
- 5b46b63e31f307757cedf305005ce9990a07cbf4
- 02c041f0c2632a4c4c2e71aca62176864e694e97
- cafb4ce45cf475fdcbd95d1c6775d3e0352b4401
- ba6d77f358b4fa00dda5d0e2fdd21c761d154f95
- be11eb2d3983319f078c5facbfe53756ddf86a44
- 00d2512b5596b4f1150cd13c284727a4fcb1d73e
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Regularly change passwords for all accounts and use strong, unique passwords for sensitive accounts.
- Carefully check the URLs before entering credentials or downloading software.
- Implement multi-factor authentication (MFA) on all accounts to add an extra layer of security to login processes.
- Consider the use of phishing-resistant authenticators to further enhance security. These types of authenticators are designed to resist phishing attempts and provide additional protection against social engineering attacks.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
- Never trust or open links and attachments received from unknown sources/senders.