Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 52 threat intelligence reports and compiled a concise summary of each, along with the relevant metadata extracted from them. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: APT-C-36. 1. Analysis of Attack ActivitiesLink: https://www.ctfiot.com/220513.htmlSummary: APT-C-36, also known as Blind Eagle, is a South American APT group targeting Colombia and neighboring countries since 2018, with a notable increase in activity since October 2024. Their sophisticated attack methods include a multi-stage process that hides malicious activities in memory to evade detection, often using an SVG file to deliver malware disguised as a legitimate document from the Colombian Ministry of Justice. Upon execution, the malware employs a sequence of operations to establish remote access through the asyncRAT client, allowing functions like keylogging and password extraction, while employing advanced evasion techniques such as "Heaven's Gate" to complicate analysis and debugging efforts.Threats: blindeagle_group asyncrat heavens_gate_technique double_kill_vuln double_star_vuln nightmare_formula_vulnIndicators of compromise:-------------------------ip: 172[.]233[.]162[.]230domain: warpower[.]dynuddns[.]neturl: https://Warpower[.]dynuddns[.]nethash: - md5=e4d26ef4eb535ed7a5a5694ec804159f, - md5=51865d714d444e677aa12adc8a399562, - md5=cb7417248c5fd3c7c76eb21b670a7a7fTitle: Attackers exploiting a patched FortiClient EMS vulnerability in the wildLink: https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046Summary: The incident involves the exploitation of a Windows server, specifically targeting vulnerabilities in FortiClient EMS (CVE-2023-48788), which was exposed to the internet. Attackers used remote access tools such as ScreenConnect and AnyDesk to gain control over compromised systems, employing Base64-encoded commands to download various payloads that facilitated credential harvesting, lateral movement, and persistence within the network. Evidence of exploitation was identified through server logs and unusual requests to webhook.site, revealing attempts to exploit the vulnerability across 18 countries, with particular activity linked to a known malicious IP in Germany previously associated with infostealer threats and ransomware groups like Conti and LockBit.Threats: screenconnect_tool anydesk_tool netscan_tool cobalt_strike lockbit conti connectwise_tool mimikatz_tool mimik_toolIndicators of compromise:-------------------------ip: 45[.]141[.]84[.]45, 185[.]216[.]70[.]170:1337domain: infinity[.]screenconnect[.]com, kle[.]screenconnect[.]com, trembly[.]screenconnect[.]com, corsmich[.]screenconnect[.]comurl: https://sipaco2[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://trembly[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://corsmich[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://myleka[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://petit[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://lindeman[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://sorina[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://kle[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://infinity[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://solarnyx2410150445[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://allwebemails1[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, https://web-r6hl0n[.]screenconnect[.]com/Bin/ScreenConnect[.]ClientSetup[.]exe?e=Access&y=Guest, http://185[.]196[.]9[.]31:8080/bd7OZy3uMQL-YabI8FHeRw, https://webhook[.]site/7ece827e-d440-46fd-9b22-cc9a01db03c8, https://webhook[.]site/d0f4440c-927c-460a-a543-50d4fc87c8a4, http://185[.]216[.]70[.]170, http://185[.]216[.]70[.]170/oo[.]bat, http://185[.]216[.]70[.]170/hello, http://185[.]216[.]70[.]170/sos[.]txt, http://185[.]216[.]70[.]170/72[.]bat, http://206[.]206[.]77[.]33:8080/xeY_J7tYzjajqYj4MbtB0w, http://5[.]61[.]59[.]201:8080/FlNOfGPkOL4qc_gYuWeEYQ, http://5[.]61[.]59[.]201:8080/7k9XBvjahnQK09abSc8SpA, https://www[.]lidahtoto2[.]com/assets/im[.]ps1, http://87[.]120[.]125[.]55:8080/BW_qY1OFZRv7iNiY_nOTFQhash: - sha1=8cfd968741a7c8ec2dcbe0f5333674025e6be1dc, - sha1=441a52f0112da187244eeec5b24a79f40cc17d47, - sha1=746710470586076bb0757e0b3875de9c90202be2, - sha1=bc29888042d03fe0ffb57fc116585e992a4fdb9b, - sha1=841fff3a36d82c14b044da26967eb2a8f61175a8, - sha1=34162aaf41c08f0de2f888728b7f4dc2a43b50ec, - sha1=cf1ca6c7f818e72454c923fea7824a8f6930cb08, - sha1=59e1322440b4601d614277fe9092902b6ca471c2, - sha1=75ebd5bab5e2707d4533579a34d983b65af5ec7f, - sha1=83cff3719c7799a3e27a567042e861106f33bb19, - sha1=44b83dd83d189f19e54700a288035be8aa7c8672, - sha1=8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8Title: A Look Back: The Evolution of Latin American eCrime Malware in 2024Link: https://www.crowdstrike.com/en-us/blog/latam-ecrime-malware-evolution-2024Summary: In 2024, the LATAM cybercrime landscape evolved significantly, marked by the emergence of sophisticated malware families such as Kiron, which became the most actively developed variant due to its innovative delivery mechanisms, including a browser-stealing extension and usage of JPHP for obfuscation. Notable tactics included multi-stage infection chains and malspam campaigns targeting customers of financial institutions in Spanish- and Portuguese-speaking regions. Collaborative efforts among LATAM cybercriminals were evident, with shared practices across various malware families, such as SAMBA SPIDER’s phishing campaign against Mexico's electronic invoice system and Caiman's advanced string decryption processes. Malware developers displayed adaptability by refining their tools and experimenting with modern programming languages, primarily focusing on evasion techniques to counteract detection.Threats: mispadu grandoreiro nestoloader sambaspider_actor caiman mekotio metamorfo vmprotect_tool astaroth dead_drop_techniqueIndicators of compromise:-------------------------ip: 84[.]246[.]85[.]94:7890, 191[.]55[.]53[.]136, 147[.]45[.]116[.]5domain: 162[.]200[.]178[.]68[.]host[.]secureserver[.]net, contpt[.]top, massgrave[.]site, lovecollege[.]hosthampster[.]comurl: https://162[.]200[.]178[.]68[.]host[.]secureserver[.]net/g1, https://contpt[.]top/ROmRv22/AGSfA782[.]js, https://contpt[.]top/gZS74/N5LbsD5852[.]vbs, https://contpt[.]top/g2, http://108[.]165[.]96[.]26:8080/19b[.]zip, https://adjunto[.]pdfxml[.]store//6725c86d7fae4/js/6725c86d7fa55[.]js, https://public[.]adobecc[.]com/files/1CBZREKGR3QFQLNIAB3CPYSQNZAFFF?content_disposition=attachment, http://38[.]54[.]57[.]26/lu/conta[.]php, https://api[.]cacher[.]io/raw/e9972f773263412223fe/d5186951e0cbbf25c69b/ahash: - sha256=b23aabe16db5f6ccdd061b457d01b94647ed5b5852806624dca277b43d63e188, - sha256=5f6c0ba669db489bc2ff186af312bfe7616f9e4a12706e195225da7168e10db0, - sha256=fc258ef827620184253ba37d94efc0043745c29cf3c9f21a6c730f7727d6d076, - sha256=ba4e715fe25aeaaf186e8395c2f13ca580457ab4e8ec1c037fd13821d97a6848, - sha256=15899e250892c2cc6b38d7cdcd2a3934a49c5dca954889564a98d15a52bf3b7c, - sha256=46b8e68f5e85935349d0bfc555b9786f7adbac9ec9a9fa174ba0c4f89baa098f, - sha256=148cd318aec19451b9ad17e58e0d97ebaffd46b56d3528608de20b95dd429c45, - sha256=0f035dced631ac58cfae510cfc61bb1dbef119331a8aea8d5c724a5ddca0f8c5, - sha256=bbf766df1972966b0ab3928d82c61d953e849638bb2c0bab60df3ad8aaacf174, - sha256=3972d6c85bb37889265fef3bb3b3ed8494e038ca37e345a515e39b3e95766a50, - sha256=129971e378991d14c444db7a7f4c9a16ece750dd6498261d2f35c85baa9bfd07, - sha256=27f482377777a1b8e1e679863685f64121f28e1e6e2bba832397269d1763e118, - sha256=d7a918b29b4423b2a4be151f1b37c28abc081068c13a04ad8fd70dbd725d659b, - sha256=07a58395e20090f139eb0cb3aa1872da4fae8c1630de818a405d3329a7406150, - sha256=60b32e40ec0a5e59081fa9816a26346892899175ce97c811761423c3533e0651, - sha256=5d74d439bbb0be789e23bdaafd8cff938e6e686af7c8e215dc945cacc88d131c, - sha256=2776c052d11f52501871c4cb5a051a1970f002c3f099969040945fb94a158d9a, - sha256=57e76a7af5bafb4ff06f5f44dcf1182ea5c6a8682651c260f555c52fd441b412, - sha256=aec68d256d8d2caf2d94c5944279806dd4da36d125c7a7d1485c89f718d0db15Title: Hidden in Plain Sight: TA397 s New Attack Chain Delivers Espionage RATsLink: https://www.proofpoint.com/us/blog/threat-insight/hidden-plain-sight-ta397s-new-attack-chain-delivers-espionage-ratsSummary: Proofpoint has identified advanced persistent threat (APT) TA397, also known as Bitter, targeting a Turkish defense sector organization through a spearphishing campaign that utilized a lure involving public infrastructure projects in Madagascar. The attack employed a RAR archive containing a decoy PDF, a malicious shortcut (LNK) file, and an Alternate Data Stream (ADS) file with PowerShell code to establish a scheduled task for subsequent malware delivery. During the operation, TA397 deployed WmRAT and MiyaRAT remote access trojans, which facilitate intelligence gathering and data exfiltration, demonstrating the group's focus on espionage and its alignment with the interests of a South Asian government. The campaign's infrastructure included specific domains for distribution and command and control, reflecting TA397’s established tactics and consistent patterns in their attacks on defense sector organizations.Threats: bitter_group wmrat miyarat spear-phishing_techniqueIndicators of compromise:-------------------------ip: 185[.]244[.]151[.]84, 38[.]180[.]142[.]228, 96[.]9[.]215[.]155domain: jacknwoods[.]com, academymusica[.]com, samsnewlooker[.]comurl: http://jacknwoods[.]com/jacds[.]php?jin=%computername%_%username%, https://www[.]jacknwoods[.]com/chthuo[.]php?ain=%computername%_%username%, http://jacknwoods[.]com/gfxview[.]msihash: - sha256=53a653aae9678075276bdb8ccf5eaff947f9121f73b8dcf24858c0447922d0b1, - sha256=f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733, - sha256=10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f, - sha256=c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317Title: Analyzing FLUX#CONSOLE: Using Tax-Themed Lures, Threat Actors Exploit Windows Management Console to Deliver Backdoor PayloadsLink: https://www.securonix.com/blog/analyzing-fluxconsole-using-tax-themed-lures-threat-actors-exploit-windows-management-console-to-deliver-backdoor-payloadsSummary: The Securonix Threat Research team has identified a tax-related phishing campaign, referred to as FLUX#CONSOLE, that employs MSC files combined with advanced obfuscation techniques to deliver a stealthy malware payload. This campaign utilizes tax-themed documents as lures, such as a seemingly innocuous PDF titled "Income-Tax-Deduction-and-Rebates202441712.pdf." Advanced methods, including the sideloading of malicious DLLs through the legitimate Windows process Dism.exe and the use of embedded scripts in MSC files, enable the attackers to gain persistent access to victims' systems while evading traditional detection mechanisms. The primary target appears to be Pakistan, indicating a potential shift in tactics among threat actors as they explore new avenues for exploitation beyond previously common LNK file methods.Threats: flux_console_campaign slow_tempest_campaign shrouded_sleep_campaign cron-trap_campaign grimresource_technique dll_sideloading_technique msedge junk_code_technique dllsearchorder_hijacking_technique sidewinder_group gamaredon_group lazarus_group spear-phishing_techniqueIndicators of compromise:-------------------------ip: domain: siasat[.]topurl: https://ewh[.]ieee[.]org/reg/ccece15/files/ccece-word-sample[.]pdf, https://siasat[.]top/xyzxyzhanoiwhb3237gb2wahabjiki/Vuznbe3fbo234t34-snake-2723[.]html, https://siasat[.]top/xyzxyzhanoiwhb3237gb2wahabjiki/income[.]pdf, https://siasat[.]top/datahash: - sha256=b3b2d915f47aa631cc4900ec56f9b833e84d20e850d78f42f78ad80eb362b8fc, - sha256=b33d76c413ef0f4c48a8a61cfeb5e24ff465bbc6b70bf0cada2bb44299a2768f, - sha256=f6c435a9a63bdef0517d60b6932cb05a8af3b29fc76abafc5542f99070db1e77, - sha256=5756f6998e14df4dd09f92b9716cffa5cd996d961b41b82c066f5f51c037a62fTitle: Paper Werewolf combines cyber espionage with destructive actionsLink: https://bi.zone/expertise/blog/paper-werewolf-sovmeshchaet-kibershpionazh-s-destruktivnymi-deystviyami/Summary: The cyber threat intelligence report details an ongoing campaign by a group dubbed the Paper Werewolf cluster, which has been targeting Russian organizations since 2022 using a variety of advanced techniques and malware, including PowerShell scripts and malicious Microsoft Word documents. Discovered by BI.ZONE Threat Intelligence specialists, these attackers utilize custom files, including UserCache.ini and UserCache.ini.hta, and communicate with a remote server to execute encoded commands. Their tactics also involve employing a malicious bootloader that masquerades as legitimate processes, alongside phishing emails designed to deceive users into enabling macros that facilitate the execution of harmful scripts. The report notes a shift in the cluster's focus from pure espionage to disruptive actions, expanding their capabilities through the use of post-exploitation frameworks and various malware, complicating detection efforts.Threats: paper_werewolf_group mythic_c2 powertaskel qwakmyagent gophish_tool powerrat owowa chisel_toolIndicators of compromise:-------------------------ip: 94[.]103[.]85[.]47, 185[.]244[.]182[.]87, 5[.]252[.]176[.]55, 85[.]198[.]110[.]216domain: disk-yanbex[.]ru, lobbyluxuries[.]comurl: hash: - sha256=fa8853aaa156485855b77a16a2f613d9f58d82ef63505be8b19563827089bf52, - sha256=13252199b18d5257a60f57de95d8c6be7d7973df7f957bca8c2f31e15fcc947b, - sha256=8ba4cd7ea29f990cb86291003f82239bfafe28910d080b5b7d3db78e83c1b6f3, - sha256=37b3fa8a3a05e4aedb25eb38d9e4524722f28c21fac9f788f87113c5b9184ef5, - sha256=804cd68f40d0bb93b6676447af719388e95cafd5a2b017a0386eb7de590ebf17Title: Your Data Is Under New Lummanagement: The Rise of LummaStealerLink: https://www.cybereason.com/blog/threat-analysis-rise-of-lummastealerSummary: The Threat Analysis report from Cybereason Security Services focuses on the LummaStealer malware, linked to the Beast Ransomware group, designed to stealthily exfiltrate sensitive information such as credentials and cryptocurrency wallets from Windows systems. The malware utilizes phishing emails and malicious downloads for distribution, employing social engineering tactics to deceive victims. The report emphasizes the rising trend of Malware-as-a-Service (MaaS) that facilitates the spread of such threats, making it accessible to cybercriminals with varying skill levels. Notable techniques reported include the use of mshta.exe and powershell.exe for payload execution, alongside sophisticated evasion methods like utilizing CDNs for Command and Control infrastructure and targeting vulnerabilities in older applications for infiltration.Threats: lumma_stealer beast_ransomware_group beast_ransomware dll_sideloading_technique spear-phishing_techniqueIndicators of compromise:-------------------------ip: 146[.]19[.]128[.]68, 169[.]150[.]207[.]210, 188[.]114[.]97[.]12, 89[.]187[.]169[.]3, 156[.]146[.]56[.]169, 104[.]21[.]20[.]40, 172[.]64[.]145[.]29, 172[.]67[.]151[.]251domain: crowdstrike-office365[.]com, carrtychaintnyw[.]shop, quotamkdsdqo[.]shop, complainnykso[.]shop, report1[.]b-cdn[.]net, mega03[.]b-cdn[.]net, filesblack404[.]b-cdn[.]net, zone02[.]b-cdn[.]net, click1[.]b-cdn[.]net, mato-camp-v1[.]b-cdn[.]net, report3[.]b-cdn[.]net, proffoduwnuq[.]shop, pardaoboccia[.]shop, naggersanimism[.]shop, conservaitiwo[.]shop, a3[.]bigdownloadtech[.]shop, steppyplantnw[.]shop, downcheck[.]nyc3[.]cdn[.]digitaloceanspaces[.]com, ces[.]com, clicktogo[.]click, matteryshzh[.]cfdurl: https://steamcommunity[.]com/profiles/76561199724331900hash: - md5=e74b1e485e42e8ba7a65ab6927e872a5, - sha1=bfc1422d1c5351561087bd3e6d82ffbad5221dae, - sha1=128a085b84667420359bfd5b7bad0a431ca89e35, - sha1=9f3651ad5725848c880c24f8e749205a7e1e78c1, - sha1=f3e5a2e477cac4bab85940a2158eed78f2d74441, - sha1=a01fa9facf3a13c5a9c079d79974842abff2a3f2, - sha1=99b8464e2aabff3f35899ead95dfac83f5edac51, - sha1=afdefcd9eb251202665388635c0109b5f7b4c0a5, - sha1=f89f91e33bf59d0a07dfb1c4d7246d74a05dd67d, - sha1=594d61532fb2aea88f2e3245473b600d351ee398, - sha1=e264ba0e9987b0ad0812e5dd4dd3075531cfe269, - sha1=c07e49c362f0c21513507726994a9bd040c0d4eb, - sha1=f2c37ad5ca8877186c846b6dfb2cb761f5353305Title: Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizationsLink: https://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990Summary: The Cyber Anarchy Squad (C.A.S) is a hacktivist group that has been conducting cyber attacks on organizations in Russia and Belarus since 2022, focusing on data theft and reputational damage. Recent investigations have unveiled their tactics, including exploiting vulnerabilities in services like Jira and Microsoft SQL Server, and utilizing open-source remote access Trojans, PowerShell scripts, and credential extraction tools. Connections to other hacktivist groups, such as the Ukrainian Cyber Alliance, highlight a collaborative ecosystem that enhances their operational capabilities and complicates attribution, thereby increasing the potential impact of their attacks across various sectors.Threats: cyber_anarchy_squad_group c0met_group revenge_rat spark_rat meterpreter_tool metasploit_tool head_mare_group crypt_ghouls_group blackjack_group browserthief_tool mimikatz_tool lockbit babukIndicators of compromise:-------------------------ip: 194[.]36[.]188[.]94, 185[.]117[.]75[.]3domain: itsfreerepublic[.]comurl: hash: - md5=a2d098f44aba4967826c3002541e3bb8, - md5=7e101596eeb43ed2de78bb45d7031f7b, - md5=48210ca2408dc76815ad1b7c01c1a21a, - md5=fc3a8eabd07a221b478a4ddd77ddce43, - md5=8c70377554b291d4a231cf113398c00d, - md5=23b873bb66dc09e91127e20825b6cbc7, - md5=bcec17275114c6a87d8b7110aecec5cc, - md5=6cbc93b041165d59ea5ded0c5f377171, - md5=1fcd4f83bf6414d79d5f29ad1e795b3dTitle: Unpacking Diicot — Evolving Campaign Targeting Linux Environments.Link: https://www.wiz.io/blog/diicot-threat-group-malware-campaignSummary: Wiz Research has identified a new malware campaign linked to the Romanian-speaking Diicot threat group, also known as Mexals, which primarily targets Linux systems in various cloud environments. The malware exhibits significant enhancements, such as modified UPX headers and advanced payload staging, and primarily uses SSH brute-force attacks to exploit weak credentials on systems running OpenSSH. Additionally, it features a primary payload called brute-spreader.go for self-propagation, communicates with a command-and-control server for reporting, and highlights an emphasis on cryptojacking, with the attackers reportedly earning over $16,000 from Monero mining.Threats: diicot_group upx_tool xmrig_miner discord-c2 zephyrusIndicators of compromise:-------------------------ip: 91[.]92[.]250[.]6, 87[.]120[.]114[.]219, 87[.]120[.]116[.]35, 87[.]120[.]116[.]35:7777, 87[.]120[.]116[.]242:8080, 147[.]189[.]132[.]45:8080, 46[.]102[.]174[.]115:8080, 139[.]99[.]123[.]196:80domain: digital[.]digitaldatainsights[.]org, pauza[.]digitaldatainsights[.]org, test[.]digitaldatainsights[.]org, web[.]digitaldatainsights[.]org, test[.]digitaldatainsights[.]org:7777, pool[.]supportxmr[.]com:443url: http://80[.]76[.]51[.]5/[.]NzJjOTYhash: - sha1=a2101ec53fb0934b23f83c582d3a0bed9f66fd13, - sha1=2ec6af460feabfe9ed37c1955ff266cff63f31ff, - sha1=7940c6e29ab9cf6abe5e570f73eed93265962e1a, - sha1=f657f695faf2cfd9f6f2188d154f7767da248b9e, - sha1=a8a5d0223519590bb48e0b52102786623ec45511, - sha1=7ece24f3b426169d720ab8353e07f0feb6dbc854, - sha1=07f200ad0b5a03433a184b442dcd7a688e1ff7a7, - sha1=970b45be172ffb9d3192a8d2d015b1c91b216107, - sha1=1d56f998bc4f7b649f882a2d730d5e9b1b2e621f, - sha1=f82b2df5e01abab70085a12388b3ec83c5e33ba1, - sha1=e0e3456a0b3c06a33cbb4db1f7d1335b777cf107Title: DigiEver Fix That IoT Thing!Link: https://www.akamai.com/blog/security-research/2024/dec/digiever-fix-that-iot-thingSummary: In mid-November 2024, the Akamai Security Intelligence Research Team (SIRT) identified increased malicious activity targeting a vulnerability in DigiEver DS-2105 Pro DVRs, which was discovered by Ta-Lun Yen and lacked a CVE identifier at the time. This risk is associated with a modified variant of the Mirai malware, known as the "Hail Cock Botnet," which exploits the vulnerability to execute command injection and download its payload. The botnet targets not only DigiEver DVRs but also other IoT devices like TP-Link and Teltonika routers, showcasing advanced techniques such as enhanced encryption methods and evasion tactics, alongside its ability to establish persistence through cron jobs, Telnet, and SSH connections to a command and control server. This incident illustrates the adaptive nature of Mirai-based botnets and their focus on both legacy exploits and a diverse range of device architectures.Threats: miraiIndicators of compromise:-------------------------ip: 154[.]216[.]17[.]126, 154[.]213[.]187[.]50, 86[.]107[.]100[.]80, 213[.]182[.]204[.]57, 195[.]133[.]92[.]51, 185[.]82[.]200[.]181, 81[.]29[.]149[.]178, 88[.]151[.]195[.]22, 91[.]149[.]218[.]232, 91[.]149[.]238[.]18, 31[.]13[.]248[.]89, 193[.]233[.]193[.]45, 194[.]87[.]198[.]29, 45[.]202[.]35[.]91, 104[.]37[.]188[.]76, 95[.]214[.]53[.]205, 5[.]35[.]104[.]31, 149[.]50[.]106[.]25, 141[.]98[.]11[.]79, 45[.]202[.]35[.]24, 5[.]39[.]254[.]71, 45[.]126[.]50[.]101, 45[.]125[.]66[.]90, 91[.]132[.]50[.]181domain: hailcocks[.]ruurl: http://hailcocks[.]ru/wget[.]shhash: - sha256=3c0eb5de2946c558159a6b6a656d463febee037c17a1f605330e601cfcd39615, - sha256=0d8c3289a2b21abb0d414e2c730d46081e9334a97b5e0b52b9a2f248c59a59ad, - sha256=b32390e3ed03b99419c736b2eb707886b9966f731e629f23e3af63ea7a91a7af, - sha256=dec561cc19458ea127dc1f548fcd0aaa51db007fa8b95c353086cd2d26bfcf02, - sha256=a1b73a3fbd2e373a35d3745d563186b06857f594fa5379f6f7401d09476a0c41, - sha256=31813bb69e10b636c785358ca09d7f91979454dc6fc001f750bf03ad8bde8fe5This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Incident Report: APT-C-36 Multi-Stage Attack on Colombian Targets
## Executive Summary
APT-C-36 (Blind Eagle) conducted sophisticated, multi-stage attacks targeting entities in Colombia and neighboring countries, characterized by heavy use of in-memory execution to evade detection. The primary attack vector involved delivering malware disguised as documents from the Colombian Ministry of Justice via malicious SVG files. Successful compromise led to the deployment of asyncRAT, enabling keylogging and password extraction, utilizing advanced evasion techniques like 'Heaven's Gate' to maintain persistence and obscure activities.
## Incident Details
- **Discovery Date:** Not explicitly stated (activity noted since October 2024)
- **Incident Date:** Ongoing since 2018, with increased activity since October 2024.
- **Affected Organization:** Entities in Colombia and neighboring countries.
- **Sector:** Undisclosed (Implied Government/Justice sector due to lure content).
- **Geography:** Colombia and neighboring South American countries.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting 2018, increasing activity since October 2024.
- **Vector:** Malicious SVG file infection disguised as a legitimate document from the Colombian Ministry of Justice.
- **Details:** The SVG file initiated a multi-stage process that executed malware primarily hidden in memory.
### Lateral Movement
- Not explicitly detailed, but established remote access suggests subsequent network investigation or pivoting.
### Data Exfiltration/Impact
- **Impact:** Establishment of remote access via asyncRAT, enabling keylogging and password extraction.
### Detection & Response
- **Detection:** Analysis of attack activities provided the basis for this report.
- **Response Actions:** Not detailed in the source material beyond inherent defenses being evaded.
## Attack Methodology
- **Initial Access:** Malicious SVG file delivering malware disguised as a legitimate Ministry of Justice document.
- **Persistence:** Implied through the successful installation and operation of asyncRAT.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Hiding malicious activities in memory; utilizing the 'Heaven's Gate' technique to complicate analysis and debugging.
- **Credential Access:** Keylogging and password extraction facilitated by the deployed asyncRAT.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** Keylogging, password harvesting.
- **Exfiltration:** Not explicitly detailed, but remote access via asyncRAT implies potential data exfiltration capability.
- **Impact:** Maintenance of persistent remote control and theft of credentials.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Sensitive user data, including passwords and potentially sensitive communications, due to keylogging.
- **Operational:** Compromise of targeted systems via remote access tool (asyncRAT).
- **Reputational:** Potential damage to organizations targeted by documents impersonating a government entity.
## Indicators of Compromise
- **Network Indicators:**
- IP: 172.[.]233.[.]162.[.]230
- Domain: warpower[.]dynuddns[.]net
- URL: https://Warpower[.]dynuddns[.]net
- **File Indicators:**
- MD5: e4d26ef4eb535ed7a5a5694ec804159f
- MD5: 51865d714d444e677aa12adc8a399562
- MD5: cb7417248c5fd3c7c76eb21b670a7a7f
- **Behavioral Indicators:** In-memory execution of multi-stage payloads, use of asyncRAT client, execution of 'Heaven's Gate'.
## Response Actions
- **Containment:** Not detailed, but immediate network segregation of infected hosts would be required.
- **Eradication:** Removal of asyncRAT persistence mechanisms and associated files.
- **Recovery:** Credential rotation for all potentially compromised accounts.
## Lessons Learned
- **Key Takeaways:** Sophisticated APT groups like Blind Eagle leverage file formats (SVG) to deliver complex, multi-stage attacks that rely heavily on in-memory execution to bypass traditional anti-virus solutions. Advanced anti-analysis techniques ('Heaven's Gate') are being employed to hinder incident response and forensics.
- **What could have been done better:** Enhanced endpoint detection and response (EDR) capable of detecting in-memory injection and analyzing complex file types beyond standard document parsers.
## Recommendations
- Implement strict application whitelisting policies, limiting the execution of scripts or payloads from untrusted file types, even seemingly benign ones like SVGs, if they are known to be vectors for malicious code execution.
- Enhance EDR solutions to specifically monitor for common anti-analysis techniques like 'Heaven's Gate' and process hollowing/injection prevalent in fileless malware.
- Conduct regular security awareness training emphasizing the social engineering aspect, particularly warnings about documents impersonating government ministries.
- Immediately block traffic to known C2 infrastructure associated with APT-C-36.