Severity
Medium
Analysis Summary
Defense Contractor themed phishing campaign has been active lately and targeting different organizations. This campaign has been previously active as well, mainly targeting defense / military infrastructure and try to sneak into as much possible as they can by luring users for their credentials.
The spear phishing attacks appear to be a part of a broad campaign targeting defense contractors, several universities and security firms. The malware operates as a remote access tool and initially was detected by only a minimal number of antivirus vendors.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
URLs
- https[:]//mtcareers[.]myftp[.]org[:]4343/ManTech/hta/index[.]html
- http[:]//213[.]252[.]246[.]80[:]8888/asd123
- http[:]//213[.]252[.]246[.]80[:]8888/asd123[.]
- http[:]//ngcareers[.]myvnc[.]com/
- http[:]//mantechcareers[.]serveftp[.]com/
- http[:]//8933-16423[.]bacloud[.]info/
- https[:]//213[.]252[.]246[.]80[:]448/business/retail-business/
- http[:]//213[.]252[.]246[.]80/
- http[:]//mtcareers[.]myftp[.]org/
- https[:]//213[.]252[.]246[.]80/business/retail-business/
- http[:]//8933-16423[.]bacloud[.]info/mantech/index[.]php
- http[:]//213[.]252[.]246[.]80[:]8888/asd123?A1GROUQBOO=a2e5bce1092e47188db4826e7a6adac3;5E1O9L3YWI=;
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.