| @h2jazi |
#SideWinder #APT
Notification No. MoDP 4346. zip (MoDP: Ministry of Defence Production of Pakistan)
490aeba4e2034bb7ff45ad22ffaaae42
It contains a maldoc and a decoy pdf:
Maldoc: (It seems it is an old sample of this threat actor. Creation time: 2017-10-27)
Officers order.docx
cab6916c5829a8bb7fd9c66dca177992
It uses DDE to calls Mshta to download the next stage.
en-db.herokuapp[.]com
Decoy pdf:
DOC-20221211-WA0093.pdf
ce9d11cfff7ae6fd2b063ce69de2ac5d
It seems #Gamaredon #APT has operated a phishing campaign to target Security Services of Ukraine (http://ssh.gov.ua)
email subject:
Щодо зіпсуття військово-облікових документів СБУ
(Regarding the corruption of SBU military accounting documents)
1265_09.12.2022.7z
1ffb409a8d8e395d969193e93b66419e
Щодо зіпсуття військово-облікових документів та їх втрату з небрежності співробітниками СБУ.lnk
f72c9718260c96c77d1e0be91b30fcbf
https://dwn-files[.]shop/12.12_sb/rehearsal.rtf
#DangerousPassword (#Lazarus) #APT
It targets Polish speaking people:
Lnk:
hasło.txt.lnk (password.txt.lnk)
b860a22f327bce97aa198a5e859ae20a
Decoy:
podwyżka wypłaty.pdf (pay raise.pdf)
Archive file:
1d1a1419db6e328e54d33fb2b124e334
C2:
microshare[.]cloud
one.microshare[.]cloud
#AveMariaRAT
The email pretends to be a letter about a meeting between Consul General of Republic of Kazakhstan and Ministry of Foreign Relations of the Astrakhan region.
- The email contains a vhdx attachment.
- The attachment contains a lnk and an archive file (decoy pdf).
- The lnk downloads the AveMaria payload using curl and executes it.
Тезисы.pdf.vhdx
56d1e9d11a8752e1c06e542e78e9c3e4
Download url:
http://45.61.137.32/www.exe
#AveMariaRAT
2300a4eb4bf1216506900e6040820843
C2:
hbfyewtuvfbhsbdjhjwebfy[.]net
193.188.20.163
It looks like an actor is targeting Poland!
The lure is in Russian but the sample is submitted from Poland and it is somehow aligned with the lure content.
Probably related to #Gamaredon #APT
73f3bffc4a9bda454456b924df48d6f1
remote-convert[.]com
Interesting SFX archive files! The used TTPs are aligned with #Gamaredon #APT but the used lure is not so probably a threat actor is trying to mimic this APT behavior.
eedfd9a8235044458bcdcac771722d9c
1467d88e82c42f16a7e0ff896717aabc
C2:
cortanaupdater[.]com
The lure is in Russian and is a joint decision between Russia Ministry of defense and Ministry of Industry and Trade to adopt a procedure to create weapons and military equipments.
The actor also has created more domains using a similar Microsoft related theme:
defenderupdateonline[.]com
defenderupdateronline[.]com
microsoftdownloaderonline[.]com
microsoftdownloadonline[.]com
microsoftdownloader[.]com
cortanaupdater[.]net
checkerserviceonline[.]net
#MustangPanda #APT:
It uses legitimate Microsoft Suite Integration Toolkit executable to side load the PlugX payload.
Archive file:
865d2582e7ae2a13f363ab5cdb60da9c
Payload:
dlmgr.dll
8251d2c698028db64583971760c7f3f0
C2:
98.142.251.29