• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Indicators of Compromise for Multiple Malspam Campaigns
April 19, 2019
Rewterz Threat Alert – Multiple Phishing Campaigns – IoCs
April 23, 2019

Rewterz Threat Alert – MuddyWaters APT Recent Activity and Indicators of Compromise

April 19, 2019

Severity

High

Analysis Summary

Muddy water is a very capable APT group active since 2017, and has recently resurfaced, targeting various organizations. It’s main focus is to target government organizations in the Middle East but it has targeted various organizations in US and Europe as well. 

The threat actors dig up actionable information about their targets, meanwhile preferring speed over operational security. The first trace of this threat actor was a public Github repository containing scripts that very closely match those observed in Seedworm operations.

Threat indicators associated with this new campaign are given below.

Indicators of Compromise

IP(s) / Hostname(s)

185[.]117[.]75[.]116

URLs

  • hxxps://1drv[.]ms/u/s!AgvJCoYH9skpgUNf3Y3bfhSyFQao
  • hxxp://162.223.89[.]53/oa/
  • hxxp://162.223.89[.]53/oc/api/?t=
  • hxxp://162.223.89[.]53/or/?t=

Filename

  • Missan dashboard.doc
  • 16431.doc
  • letter-for-Kazakhstan.doc
  • 2-Merve_Cooperation_CV.doc
  • 16431.doc

Malware Hash (MD5/SHA1/SH256)

  • 806adc79e7ea3be50ef1d3974a16b7fb
  • f12bab5541a7d8ef4bbca81f6fc835a3
  • 072ce8858c7e5b3d71a9fa719613b107
  • 85b3f269251d805d3e2f78d37aeb1744
  • 8899c0dac9f6bb73ce750ae7b3250dbd
  • bd62f7b1766154cc7adbb6cc42561b8e
  • b0ab6ce3d044a1339a705f233e113c44a1bced10
  • c4a5e8e871e5af7a86427b08e383bb2a99fac932
  • 82306e7b75120f97f9a0ba70d334470da79d0c5d
  • 6011b09def7bca520ecad366e3e19d39e80461a4
  • 91ead70b6e7962e73261441bcd4af6b332d88e9d
  • 02fa6dd3df641b1ad18f955f16d1c27aa03c027a
  • 93b749082651d7fc0b3caa9df81bad7617b3bd4475de58acfe953dfafc7b3987
  • 08e256cd2fa027552be253ec3bf427b537977f9123adf1f36e7cd2843a057554
  • c005e11a037210eb8efe12b8dee794be36151de30b0223f2c9c4b9680cb033c0
  • 925225002364615b964e4e3704876d9b101e4f07169dbb459175248aefb5a0ad
  • c873532e009f2fc7d3b111636f3bbaa307465e5a99a7f4386bebff2ef8a37a20
  • 2f77ec3dd5a5c8146213fdf6ac2df4a25a542cbd809689a5642954f2097e037a
  • 44912475958d7d3323633836fe62d41c
  • febf7d5f01d8ddd584ae3b9f051f6338
  • 50a538062f2027b6ff763f23bc3d1545
  • e01d827d139bb933e34c7a35660b8728
  • 108133793259efe042b82cb68c6221f4dfc107ac
  • 387c5a965e94a56041af4de2acd01a50f4842c21
  • 0a5bc1ca95a91c6a12f112abed34767d73e7e9fe
  • 8635f311aa2a62844e70d49901067d8fbfedcf11
  • 68133eb271d442216e66a8267728ab38bf143627aa5026a4a6d07bb616b3d9fd
  • ef3617a68208f047ccae2d169b8208aa87df9a4b8959e529577fe11c2e0d08c3
  • 4cb0b2d9a4275d7e7f532f52c1b6ba2bd228a7b50735b0a644d2ecae96263352
  • 6f78748f5b2902c05e88c1d2e45de8e7c635512a5f25d25217766554534277fe
  • c0c22e689e1e9fa11cbf8718405b20ce57c1d7c85d8e6e45c617e2b095b01b15
  • 0089736ee162095ac2e4e66de6468dbb7824fe73996bbea48a3bb85f7fdd53e4
  • 1c25286b8dea0ebe4e8fca0181c474ff47cf822330ef3613a7d599c12b37ff5f
  • 144b3aa998cf9f30d6698bebe68a1248ca36dc5be534b1dedee471ada7302971

Remediation

  • Block threat indicators at their respective controls
  • Never click on links/ attachments sent by unknown senders
  • Always scan downloaded files prior to execution.

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.