Full Report
This is a weekly threat intelligence report review from RST Cloud. We analysed 59 threat intelligence reports we had collected last week and compiled a concise summary of each, along with the pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Horns&Hooves campaign delivers NetSupport RAT and BurnsRATLink: https://securelist.com/horns-n-hooves-campaign-delivering-netsupport-rat/114740Summary: The Horns&Hooves cyber threat campaign targets over a thousand users and businesses in Russia through malicious email attachments disguised as legitimate requests, primarily utilizing ZIP archives. Commencing in March 2023, the attack involves JScript scripts that install the NetSupport RAT for remote management, employing various deceptive documents, including PDFs, to increase legitimacy. Different versions of the malicious scripts have been identified, including one that uses PNG files, another embedding code in JavaScript libraries, and a fully obfuscated version hiding the code in Silverlight.Configuration.exe. Analysis revealed connections to the TA569 group, suggesting these attackers may collaborate or share techniques, and indicating potential escalation to more severe threats, such as data theft or ransomware deployment.Threats: horns-hooves_group netsupportmanager_rat burnsrat bitsadmin_tool rms_tool dll_sideloading_technique mustard_tempest_group ta569_group smartapesg_campaign rhadamanthys meduzaIndicators of compromise:-------------------------ip: 193[.]42[.]32[.]138domain: xoomep1[.]com:1935, xoomep2[.]com:1935, xoomep1[.]com, xoomep2[.]com, labudanka1[.]com, labudanka2[.]com, gribidi1[.]com, gribidi2[.]com, shetrn1[.]com, shetrn2[.]comurl: https://www[.]linkpicture[.]com/q/1_1657[.]png, https://golden-scalen[.]com/files, http://188[.]227[.]58[.]243/pretencia/www[.]php, http://188[.]227[.]106[.]124/test/js/www[.]php, http://193[.]42[.]32[.]138/api, http://45[.]133[.]16[.]135/zayavka/www[.]php, http://45[.]133[.]16[.]135/zayavka/666[.]bat, http://45[.]133[.]16[.]135/zayavka/1[.]yay, http://golden-scalen[.]com/ngg_cl[.]zip, http://87[.]251[.]67[.]51/api, http://31[.]44[.]4[.]40/test/bat_install[.]bat, https://golden-scalen[.]com/files/*, http://188[.]227[.]58[.]243/zayavka/www[.]php, http://188[.]227[.]58[.]243/pretencia/installet_bat_vbs[.]bat, http://188[.]227[.]106[.]124/test/js/BLD[.]exe, http://188[.]227[.]106[.]124/test/js/1[.]jshash: - md5=327a1f32572b4606ae19085769042e51, - md5=b3bde532cfbb95c567c069ca5f90652c, - md5=5f4284115ab9641f1532bb64b650aad6, - md5=63647520b36144e31fb8ad7dd10e3d21, - md5=67677c815070ca2e3ebd57a6adb58d2e, - md5=b03c67239e1e774077995bac331a8950, - md5=ba69cc9f087411995c64ca0d96da7b69, - md5=051552b4da740a3af5bd5643b1dc239a, - md5=34eb579dc89e1dc0507ad646a8dce8be, - md5=29362dcdb6c57dde0c112e25c9706dcf, - md5=882f2de65605dd90ee17fb65a01fe2c7, - md5=0fea857a35b972899e8f1f60ee58e450, - md5=20014b80a139ed256621b9c0ac4d7076, - md5=7f0ee078c8902f12d6d9e300dabf6aed, - md5=8096e00aa7877b863ef5a437f55c8277, - md5=12ab1bc0989b32c55743df9b8c46af5a, - md5=50dc5faa02227c0aefa8b54c8e5b2b0d, - md5=e760a5ce807c756451072376f88760d7, - md5=edfb8d26fa34436f2e92d5be1cb5901b, - md5=3e86f6fc7ed037f3c9560cc59aa7aacc, - md5=ae4d6812f5638d95a82b3fa3d4f92861, - md5=17a78f50e32679f228c43823faabedfd, - md5=b9956282a0fed076ed083892e498ac69, - md5=1b41e64c60ca9dfadeb063cd822ab089Title: Broken Ghost: Remcos, DarkGate and BrockenDoorLink: https://securelist.ru/remcos-darkgate-brockendoor/111207Summary: In October, researchers identified a cyber threat utilizing the Right-to-Left Override (RLO) technique, which exploits a Unicode control character to disguise malicious file names and extensions. This campaign is linked to various backdoors, including Remcos, DarkGate, and a new malware called BrockenDoor, spread primarily through phishing emails containing RLO-based executables. The analyzed activity revealed that Remcos facilitates full system control, while DarkGate offers functionalities like keylogging and information theft. BrockenDoor specifically targeted Russian software automation companies, with threats often delivered in archived files, as RLO characters are typically not processed by archivers. The findings highlight a blend of established and novel malware, emphasizing the need for ongoing monitoring of this evolving threat landscape.Threats: remcos_rat darkgate brockendoor right-to-left_override_technique hvnc_tool gh0st_ratIndicators of compromise:-------------------------ip: 194[.]87[.]252[.]40, 45[.]151[.]62[.]66, 194[.]87[.]252[.]74domain: wmpssvc[.]online:8080, weventlog[.]store:80, wscsvc[.]online:4080, tnecharise[.]me, tnecharise[.]biz, wmiadap[.]cfd, wmiadap[.]sbs, wmpssvc[.]online:9080, winmetrica[.]info, wuauserv[.]site, webkruzjevo[.]site, snastiisani[.]xyz, remote[.]hipool[.]shop, wmpssvc[.]online, weventlog[.]storeurl: https://sportsboulevard-shop[.]com/nico/Scan_RusAutomation_TZ_299_21[.]08[.]2024, https://sportsboulevard-shop[.]com/nico/Scan_RusAutomation_TZ_299_21[.]08[.]2024[.]pdf, https://sportsboulevard-shop[.]com/9827/service[.]exe, https://keymerkert[.]com/update, http://tnecharise[.]me/tiinhmbd, http://tnecharise[.]me/cyjdxxrj, http://194[.]87[.]252[.]40:9375/payload?payloadId=, http://Wmiadap[.]sbs:6180/x, http://Wmiadap[.]cfd:6180/xhash: - md5=bbd49c98771b26f571d19f852eb50032, - md5=514d54cb28d40a67a47cdadfea5aadfb, - md5=a8e35c05fd6324119b719aca8ab85f57, - md5=3dcdbae24c81bef32d5062d5210da238, - md5=081662478a85a8d5dc4c6191667b57c7, - md5=6e1642ff15e966b4aabd8a7e7a62afb5, - md5=e48ca8c77bd1aade0267b31e5e5c4b16, - md5=415a4f8f6f5a8fca2cd1d8a2db9cd299, - md5=0a7f371622896d6fe98ca4cecf384a77, - md5=2faff746b3fa3fc39cee068c2f4b8225, - md5=96d09190247304c54a4b2235acd549bd, - md5=c3d5c48e7e8cd11ab662dcb832088341, - md5=cab999df17597905d9fba571f4820e5c, - md5=d947ebd975257261fc8e8f5dc9729a81, - md5=1bc0523bf62b072d7cb35fa5ba29bf67, - md5=353302ef3297119ad7e15d131b85c04d, - md5=35bd6ff114bbaeaa1b8f959e00042a33, - md5=3645826d1f2bf59e6fa71e22559676c7, - md5=3e5cd6018e40bfb258087139f7922df9, - md5=5b8f3cdc9f406d057e48ff5e33398719, - md5=5f4b879537af29b224198d4e18399fe7, - md5=6343560113d4fb9efe740f03b3d847f6, - md5=9546ed5d05d71230c263cc04b5928a70, - md5=de7dcce6672e86154cab335e59885834, - md5=eed9223ff9bc5a20f5fa6114aa9cc6be, - md5=f3b658e97d4602729e2a4e4e5493ce29, - md5=0cd75552f9f1750322e2660f5f4b12a0, - md5=582a296032901a28e2da9f024f90d4a0, - md5=8a6fb5adda210ed5df68755d4316e27b, - md5=943f0607da181651ef79fc5472fbb8e2, - md5=ead0ad5a55ef4c64f1be4eba7b2793b9Title: The Curious Case of an Egg-Cellent ResumeLink: https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resumeSummary: The cyber threat intelligence report outlines a sophisticated intrusion campaign conducted by the threat actor TA4557, associated with FIN6. The campaign began with an employment-themed resume lure that deployed the more_eggs malware via LOLbins, and exploited CVE-2023-27532 to compromise a Veeam server for privilege escalation and lateral movement. Proofpoint, which has been tracking TA4557 since 2018, documented the use of various techniques including side-loading malicious files, creating new local administrator accounts, and executing commands with tools like Cobalt Strike and Pyramid for post-exploitation activities, all while exhibiting effective operational security measures to evade detection. The report highlights indicators of compromise and maps attacker behaviors to MITRE ATT&CK techniques, emphasizing the threat actor’s persistence and adaptability throughout the campaign.Threats: cobalt_strike more_eggs magecart_group lolbin_technique pyramid_c2 cloudflared_tool metasploit_tool sliver_c2_tool cobalt_group evilnum_group nltest_tool shadow_copies_delete_technique vssadmin_tool sharpshares_tool seatbelt_tool fog_ransomware adfind_tool veeamhax netscan_toolIndicators of compromise:-------------------------ip: 144[.]208[.]127[.]15, 109[.]104[.]152[.]24, 108[.]174[.]197[.]15, 172[.]96[.]139[.]82domain: johnshimkus[.]com, pin[.]howasit[.]com, shehasgone[.]com, annetterawlings[.]com, mitchellspearman[.]com, mikedecook[.]com, davidopkins[.]com, markqualman[.]com, julienolsson[.]com, wlynch[.]com, johncboins[.]com, christianvelour[.]com, lisasierra[.]com, jacksallay[.]comurl: http://a92837f[.]johnshimkus[.]com/setthevarhash: - md5=a0e9f5d64349fb13191bc781f81f42e1, - md5=d32d6a0ff9d52869cb6d4ab402b7306c, - sha256=ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f, - sha256=b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1, - sha256=408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f, - sha256=aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d, - sha256=4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128, - sha256=4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608, - sha256=a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b, - sha256=a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258, - sha256=95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a, - md5=987ad23508239b58739279048cb850d5, - sha1=62ea63b720556bda73eaf95be7a282193d19aa4d, - sha256=fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce, - md5=14c72c6c628104de0a93df124caa3e4a, - sha1=03bd5fa3fa4b06190b26762c4ea7b4e6ac615819, - sha256=bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935, - md5=6a0ddc6b06db8f7fef1e8934347d150d, - sha1=6a8fed99d66e84524fc75c7bfe003dea750dab11, - sha256=29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b, - md5=bace25f5a53a4e6cde31fe2ca2bc39a9, - sha1=ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8, - sha256=757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0, - md5=6886f4cce4041cf27dff8e2ecfbfd38d, - sha1=b68eaed2a653ca79b8ef0b261eb4047ced6e16f4, - sha256=6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67, - md5=4fdbae9775a20dc33dec05e408c2a2ad, - sha1=3eaa51632f2beae23d9811b9ff91e31c91092177, - sha256=228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532, - sha256=cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5Title: BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging InfrastructureLink: https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdfSummary: Insikt Group has identified BlueAlpha, a threat actor linked to the Russian FSB's Centre 18, as responsible for a cyber-espionage campaign targeting Ukrainian entities. BlueAlpha employs advanced techniques such as Cloudflare Tunnels for concealing its infrastructure while deploying malware like GammaDrop and GammaLoad through spearphishing campaigns that utilize HTML smuggling to distribute VBScript-based payloads. Notably, the group utilizes DNS fast-fluxing and other evasion tactics to maintain access to compromised systems and evade detection, focusing primarily on Ukrainian government and military targets.Threats: gamaredon_group gammadrop spear-phishing_technique smuggling_technique fastflux_technique gammaload hive0051_group seaborgium_group energeticbear_group gammasteel litterdrifter asyncrat junk_code_techniqueIndicators of compromise:-------------------------ip: 178[.]130[.]42[.]94, 124[.]92[.]19[.]107domain: amsterdam-sheet-veteran-aka[.]trycloudflare[.]com, cod-identification-imported-carl[.]trycloudflare[.]com, else-accommodation-allowing-throws[.]trycloudflare[.]com, benjamin-unnecessary-mothers-configured[.]trycloudflare[.]com, longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com, attribute-homework-generator-lovers[.]trycloudflare[.]com, infected-gc-rhythm-yu[.]trycloudflare[.]comurl: https://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/dearest/seize[.]tarhash: - sha256=3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b, - sha256=93aa6cd0787193b4ba5ba6367122dee846c5d18ad77919b261c15ff583b0ca17, - sha256=b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fddaTitle: Analysis of Threat Actor Kim Soo-ki’s Email Phishing CampaignLink: https://www.genians.co.kr/blog/threat_intelligence/kimsuky-casesSummary: The text discusses the persistent global threat of email phishing, particularly highlighting the Kimsuky group, which has targeted North Korean researchers through evolving tactics. The group employs malwareless URL phishing, utilizing deceptive emails that impersonate legitimate themes to manipulate recipients into divulging sensitive information. They have shifted their operations between Japan, Russia, and Korea, using fraudulent email addresses and various email service providers to enhance their credibility and evade detection. The report analyzes specific phishing attacks and emphasizes the risks posed by these campaigns, noting that even without malware, such phishing efforts can facilitate data breaches and unauthorized access to accounts.Threats: kimsuky_groupIndicators of compromise:-------------------------ip: 185[.]27[.]134[.]201, 185[.]105[.]33[.]106, 185[.]27[.]134[.]140, 185[.]27[.]134[.]93, 185[.]27[.]134[.]120, 185[.]27[.]134[.]144domain: nsec[.]com, mmbox[.]ru, ncloud[.]ru, covd[.]2kool4u[.]net, ned[.]kesug[.]com, wud[.]wuaze[.]com, owna[.]loveslife[.]biz, nidiogln[.]n-e[.]kr, naverbox[.]p-e[.]kr, evangelia[.]edu, inbox[.]ru, internet[.]ru, announcement[.]r-e[.]kr, naver-blog-post-restriction-information[.]kro[.]kr, cookiemanager[.]n-e[.]kr, online[.]korea[.]article-com[.]eu, naver-blog-post-restriction-guide[.]kro[.]krurl: https://evangelia[.]edu/image/bin/Rjboi0[.]htahash: - md5=adb30d4dd9e1bbe82392b4c01f561e46, - md5=b591cbd3f585dbb1b55f243d5a5982bc, - md5=d8249f33e07479ce9c0e44be73d3deac, - md5=0def51118a28987a929ba26c7413da29, - md5=2ff911b042e5d94dd78f744109851326, - md5=3cd67d99bcc8f3b959c255c9e8702e9f, - md5=7ca1a603a7440f1031c666afbe44afc8, - md5=658a8856d48aabc0ecfeb685d836621b, - md5=a6588c10d9c4c2b3837cd7ce6c43f72e, - md5=a75196b7629e3af03056c75af37f37cf, - md5=aa41e4883a9c5c91cdab225a0e82d86a, - md5=ab75a54c3d6ed01ba9478d9fecd443afTitle: Analysis of the recent incident of APT-C-36 (Blind Eagle) forging judicial department documents and submitting DcRat backdoorLink: https://mp.weixin.qq.com/s/DDCCjhBjUTa7Ia4Hggsa1ASummary: APT-C-36, known as Blind Eagle, is a South American advanced persistent threat group targeting entities in Colombia and surrounding regions since 2018, focusing on government and financial sectors. The group has recently employed UUE compressed packages to disseminate fake judicial documents via phishing emails, facilitating the deployment of the DcRat backdoor on infected machines. The attack methodology includes using obfuscated scripts and Spanish-named files that imitate legitimate Ministry of Justice documents, demonstrating a sophisticated approach in targeting Spanish-speaking individuals and organizations while evolving its tools and strategies over time.Threats: blindeagle_group dcrat ande_loader amsi_bypass_technique double_kill_vuln double_star_vulnIndicators of compromise:-------------------------ip: domain: dcmxz[.]duckdns[.]orgurl: https://www[.]informacionoportuna[.]com/wp-content/uploads/2024/09/dllskyfal[.]txt, http://keepz[.]duckdns[.]org/sostener[.]vbs, https://bitbucket[.]org/89999999999999/acaaaaaaaaa/downloads/dll[.]txt, http://pastebin[.]com/raw/V9y5Q5vv, https://bitbucket[.]org/556ghfhgfhgf/fdsfdsf/downloads/dllhope[.]txt, https://cdn[.]discordapp[.]com/attachments/1046967871470837855/1046969589982044230/dll[.]txt, http://91[.]202[.]233[.]169/Tak/Reg/Marz/DRG/RTC/F3dll[.]txt, https://textbin[.]net/raw/ezjmofz3s6hash: - md5=816999bfe363b545575d2aaca78a6fdd, - md5=cd4b908264f6711321d7cb9d62df89d2, - md5=ff30cc63bb8ba014ffe95ba9fa52eca4, - md5=31748fb41fa5212711aac8dbd62af0b6, - md5=ad25a95f049577f0372657779a58bf0c, - md5=5d40616dda7b012eb774c45806b7b42a, - md5=4927769fa3f3c5a80287ab3e335d8769, - md5=e078fa76a2ddd05106a6dddba78b4608, - md5=e8c4326e36be1949ce49150c9066f944Title: Be wary of phishing attacks organized by APT-C-01 (Poison Ivy). Attack activity analysisLink: https://mp.weixin.qq.com/s/6wVfE9SE3wVuazxVppe3tASummary: APT-C-01, also referred to as Poison Ivy, is an advanced persistent threat group that has been active since 2007, primarily targeting sectors such as national defense and education through sophisticated phishing attacks. Recent operations have seen the group imitating official websites to create phishing pages that deliver a Remote Access Trojan (RAT) known as Sliver RAT, capable of covert data theft and remote system control. Analysis of their malicious techniques reveals a complex attack chain involving loaders that disguise themselves with PDF icons and utilize AES encryption to fetch and execute payloads from remote servers, demonstrating APT-C-01's high level of expertise and evasion tactics. The 360 Advanced Threat Research Institute is noted for its role in detecting and analyzing these advanced cyber threats.Threats: poison_ivy_group watering_hole_technique spear-phishing_technique sliver_c2_tool process_injection_technique double_kill_vuln double_star_vulnIndicators of compromise:-------------------------ip: 158[.]247[.]208[.]174, 165[.]22[.]97[.]48, 128[.]199[.]134[.]3domain: caac-cn[.]org, caac-cn[.]comurl: hash: - md5=61c42751f6bb4efafec524be23055fba, - md5=3bd15b16a9595d20c0e185ab1fae738f, - md5=7f0dba2db8c3fdd717d83bb693b3ade9, - md5=88e306f4d6a33703316e794a9210f528, - md5=3a74ed8d1163d1dbc516410d1b8081faTitle: Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond. TL;DRLink: https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktapus-domainsSummary: The blog post discusses the phishing tactics employed by the financially motivated threat actor known as 0ktapus, active since 2022, focusing on their specific methods for targeting cloud identities. It details how 0ktapus creates phishing landing pages that mimic legitimate sites to collect credentials, utilizing tactics such as SMS and voice phishing, and reactivating old infrastructure to target previously compromised organizations. The analysis includes techniques for investigating these campaigns, such as examining phishing domain characteristics, analyzing HTML code, and monitoring newly registered domains, alongside the importance of tailoring phishing pages to individual target organizations to enhance deception efforts.Threats: 0ktapus_group mfa_bombing_technique sim_swapping_technique eightbait_tool typosquatting_techniqueIndicators of compromise:-------------------------ip: 193[.]149[.]176[.]19, 67[.]217[.]228[.]42, 68[.]183[.]20[.]231, 161[.]35[.]98[.]8, 162[.]33[.]179[.]76, 67[.]205[.]185[.]135, 161[.]35[.]96[.]229, 144[.]202[.]121[.]111, 45[.]77[.]122[.]253, 216[.]245[.]184[.]53, 142[.]93[.]3[.]117, 80[.]78[.]28[.]234, 64[.]95[.]13[.]215, 138[.]68[.]47[.]14, 80[.]78[.]22[.]244, 137[.]220[.]43[.]146domain: revolut-ticket[.]com, gemini-sso[.]com, att-mfa[.]com, stargate-okta[.]com, dashboard-mailgun[.]com, mgmresorts-okta[.]com, calendar-dd[.]com, t-mobile-okta[.]com, intercom-okta[.]com, klav-workday[.]com, grid-review[.]com, rejectauth-sendgrid[.]com, ns3[.]my-ndns[.]com, nike-support[.]com, nike[.]okta[.]com, okta-verify[.]com, account[.]kemper-support[.]com, login[.]doordash-support[.]com, www[.]dashsso[.]com, securian-hr[.]com, mailgun-okta[.]com, forward-icloud[.]com, acwa-internal[.]com, apple-vpn[.]com, acwa-apple[.]com, twitter-okta[.]com, okta-ouryahoo[.]com, activecampaign-hr[.]com, activecampainhr[.]com, block-hr[.]com, block-sso[.]com, cashsso[.]com, hr-gnc[.]com, login[.]block-hr[.]com, uscellular-sso[.]com, sunrise-crypto[.]com, expediagroup-servicenow[.]com, adasupport-okta[.]com, alchemy-okta[.]com, auth-alchemy[.]com, login[.]ally-hr[.]com, login[.]corporate-ally[.]com, amica-hr[.]com, hanover-hr[.]com, sharing-folders[.]com, login[.]realogy-hr[.]com, sync-apple[.]com, okta-blockdaemon[.]com, authenticate-bt[.]com, www[.]authenticate-bt[.]com, cellularsaies[.]com, okta[.]cellularsaies[.]com, clicksend-staging[.]com, okta-cbhq[.]net, commonspiritcorp-okta[.]com, condenast-hub-okta-emea[.]com, consensys-okta[.]com, corescientific-okta[.]com, settings-okta[.]com, docusignhq[.]net, docusign-okta[.]com, epic-servicedesk[.]com, sso-falconx[.]com, fico-servicenow[.]com, five9-hr[.]com, login[.]five9-hr[.]com, corp-foundever[.]com, corp-foundever[.]net, foundever-sso[.]com, galaxy-okta[.]com, okta-gamestop[.]com, prntsrc[.]net, stargate-sso[.]com, stargatesso-gemini[.]com, binance-us-okta[.]com, gofundme-okta[.]com, grayscale-okta[.]com, grubhubsso[.]com, grubhub-support[.]com, login[.]grubhub-support[.]com, corporate-huntington[.]com, sso[.]ibexgiobal[.]com, intercom-hr[.]com, intercomsso[.]net, login[.]hr-intercom[.]com, okta-intercom[.]com, itbit-okta[.]com, jacksonhewitt-service[.]com, account[.]klaviyo-hr[.]com, klaviyocorp[.]net, klaviyo-hr[.]com, klaviyo-vpn[.]com, login[.]klaviyo-hr[.]com, sso-klaviyo[.]com, louisvuitton-okta[.]com, louisvuitton[.]okta-lv[.]com, luno-okta[.]com, review-mailgun[.]com, verify-mailgun[.]com, okta-campaignmonitor[.]com, markel-hr[.]com, newyorklifehr[.]com, login[.]nfp-hr[.]com, nfp-hr[.]com, okta-nydig[.]com, okta-onsolve[.]com, onsolve-okta[.]com, paxos-okta[.]com, login[.]corporate-pnc[.]com, cinfin-hr[.]com, mercury-hr[.]com, mutualofomaha-hr[.]com, podium-hr[.]com, okta-ripple[.]com, ripple-okta[.]com, login[.]rbx-hr[.]com, rbx[.]okta[.]bio, rbx-corp[.]com, rbx-hr[.]com, rbxhr[.]net, rbx-servicedesk[.]com, roblox-hrs[.]com, account[.]securian-hr[.]com, login[.]securian-hr[.]com, contact-sendgrid[.]com, manageactivity-sendgrid[.]com, sendgrid-account[.]com, sessions-sendgrid[.]com, account-sendgrid[.]com, sendgrid-overview[.]com, twillio-sendgrid[.]com, servicenowprod[.]com, resolveservicedesk[.]com, snapchat-okta[.]com, squarespacehr[.]com, squarespace-okta[.]com, squarespace-hr[.]com, login[.]suniife[.]com, login[.]synchronyfinanciai[.]com, ping[.]taskus-sso[.]com, teleperformance-incident[.]com, telesignhr[.]com, telint-helpdesk[.]com, login[.]thrivent-hr[.]com, thrivent-hr[.]com, corp-cox[.]com, verify-tmobile[.]com, storewatch-tmobile[.]com, t-mobiie[.]net, ally-hr[.]com, corporate-ally[.]com, transamerica-hr[.]com, login[.]transamerica-hr[.]com, okta-twilio[.]com, typeform-okta[.]com, ultahub[.]com, ultainternal[.]com, unchainedprod-okta[.]com, login[.]unumhr[.]com, login[.]unum-hr[.]com, unumhr[.]com, login[.]uscc-hr[.]com, tickets[.]zapto[.]org, uscc-hr[.]com, connect-asurion[.]net, supporthub-iqor[.]com, vzapps-vzn[.]com, xapo-okta[.]com, ouryahoo[.]okta[.]com[.]shortid[.]support, ziffdavis-okta[.]com, concentrix-servicedesk[.]com, ibexgiobal[.]com, mixpanel-okta[.]com, robinhood-servicedesk[.]com, zendesk-servicedesk[.]com, ouryahoo-okta[.]org, ouryahoo-okta[.]net, ouryahoo-okta[.]com, gd-okta[.]com, activecampaignhr[.]com, mcointernal-okta[.]com, pfchangs-support[.]com, stargatesso[.]com, binance-sso[.]com, login[.]servicenow-help[.]comurl: https://nredacted[.]okta[.]com, https://stargate[.]okta[.]com/help/login, https://stargate[.]okta[.]com/privacy, https://nigga[.]okta[.]com/help/loginhash: - sha256=fb1d07ab6c54c7380a93a507b48bc5ba0aee77ca32b7d4c57c38f007857a6fd1, - sha256=95a0eca17ee49bebb333bbb1c96ab54ed361c2f233b2adf8c4374814c633a53b, - sha256=98ca25eef00efcafee4f9cb07908776d0ad976296a5e6eb07a724c31ae4bfc61, - sha256=dd4782fc37ada8c2411fd65877eb3c3199aa67224ffa6c65b81c2e4b8658f727, - sha256=f8b7bb31e7e8c574d74e52eba7dcf3de48c7f5fa6d39d64685d39355d688defb, - sha256=5dd491b89daadabfe8419d5d1e436a6dd9b4eea25fc4ba5898e6a1bca34f06e9, - sha256=46e7cf1fb46a73f098fa6f0f46732bdd298af690ec1452fac9b97884ca8b5a39, - sha256=0acb0fc9762e4359f562794011d77317c78f7b68cec08b715d98ed16ba761fac, - sha256=6604762c149476ff2f833b336d5077d2ac349bccacdf70eb86af28105028fbe0, - sha256=00cc2176062c84db97399bb8761803d15ad1edf4b23eccb74979bb79d2a483ab, - sha256=a226437823c213da4b2f4cfdedc87bfa88204b17a0aebca1a33c3d6055178616, - sha256=a23a15cf02ff5bfdf1b51335af4b91ca96c436781b9791280ab8c470643d07d7, - sha256=c1e6d17cdae38320041149688fdab35409c2d466319873f33390b801b130dae4, - sha256=807865ab553996e521995c6624a41e026ef06f5370e1cad6a9647a68f7474798, - sha256=0cea1ff596fe9a73f77bcd99ec9c77b69c27408a1b1c1c756300ef3db4c3c41f, - sha256=9fea58b71ce27a360735a0ebe4badb2f0e1d17ed1b4baa229a568aec987c802c, - sha256=436831126b5851ba76cd7bedc687ef08538fc639f7cc5e8665488aecfaeaf735, - sha256=ab9f02f9eae92f52c983e18dafa2142203afe96a4f4a2390e061812989186e77, - sha256=695bd0671a2d91d7087abb3c314f59cca2b52f05411aca478e208c4648616486, - sha256=1f28bdadbf55e8c7023c4ac754eb963b776847e2d1826d8cf396b01807185f70, - sha256=7d7ab8c1e2e469539e0d85d2b2166238c71bfd40ae7a373babf3744fc89a0ef8, - sha256=4ae2d449cc534f746e351500a78ed83b2b4555cdf22a49e2e5ef48b10ec55bd6, - sha256=3aeba4ab4ed3a5005444f108e6e54bc50c8c02421c1e6cfceab915e1de5cf862, - sha256=53bb86ab4f9bf507d1f186b5be98f80960db4243afead96ef8ce6eafb2346587, - sha256=d03ce20518692e3c2adc3f578ba92cab5e19f014664438b729d431a24be1823f, - sha256=af1ddeab240bc7321e8c3dfc400ac8273e03af1ce0da9ed73e47570189795e4c, - sha256=ce91909e4a421b6377468d22c6d68438da717c300a1b1326177aab3d01b5abee, - sha256=1d55d14c08eb1d61344f19d17f48b81cca3c4a24f54a0ee3707cf59b296db314, - sha256=2d640430ec60721437ca4d5ff64d16cb0d3febce2e206fa749a9f8e007f9a5ae, - sha256=8683370db6d2b7f5137199f0a6b012fcd09cfff6afb30064a23b3339927ed9c9, - sha256=9833c1b277759b26478c88afe74680d5fbf3efff535dd803b1a3ebe4e7b8d466, - sha256=c05d6607585f882476b6b7c9a39fd0bd2bb7ced3e469d5312971971048e2c594, - sha256=d6cbc900942061d85477bda4dbfd7f77d823e8c08ebe80e1f9ff10bec20b5172, - sha256=69b575025bd763e58fcb95035b9b6e358f43737d91e01ebdaa19934e0206a966, - sha256=c8ff5a54213c5ac0146b1ffe36974b07113f9f7060f951d5f80b93befa3b03f2, - sha256=8293806652949fc5056d2b841ad30010a8e83e0e6adfb102ef83c73bdea074eb, - sha256=e534b01f04ad4721f7cde5e173a1098ae537d0f84a30d908d0eddae6a2fc4514Title: Stellar Discovery of A New Cluster of Andromeda/Gamarue C2Link: https://www.cybereason.com/blog/new-cluster-andromeda-gamrue-c2Summary: Cybereason Security Services has recently uncovered a new cluster of Command and Control (C2) servers linked to the Andromeda/Gamarue malware, primarily targeting manufacturing and logistics firms in the Asia-Pacific region for potential industrial espionage. The Andromeda malware, active since at least 2011, functions as a modular backdoor and is often distributed through infected USB drives using deceptive LNK shortcuts. Cybereason's investigation revealed multiple infection incidents, highlighting the complex nature of the malware, its ability to execute additional malicious payloads, and its communication with a C2 domain associated with a TLS certificate. The analysis emphasizes the evolving tactics of cybercriminal groups utilizing Andromeda, which is often found working in conjunction with other malware, indicating coordinated cyber operations.Threats: andromeda upx_tool turla_group ipeddo mogoogwi pykspa jadtre process_injection_techniqueIndicators of compromise:-------------------------ip: 34[.]29[.]71[.]138, 104[.]198[.]2[.]251, 184[.]105[.]192[.]2domain: suckmycocklameavindustry[.]in, anam0rph[.]su, deltaheavy[.]ruurl: hash: - sha1=cae4e8c730de5a01d30aabeb3e5cb2136090ed8d, - sha1=b0fb70192b26c18858893f09e9d75d2e52f3f475, - sha1=6dc84c457ea8f5ff29fbd1c6c968e3ffa53f7870, - sha1=274c2facba9d04e1f3cbf31528af0ac162da5db7, - sha1=2620d60d8283936d6671713477cdd9ae2e28eb1b, - sha1=c20c26d9f4f9bff3cf4c29b5c1c30252d938eddb, - sha1=72bc039f1d37b610ba6c4b577dbe82feba37e813, - sha1=e4fcf9c1ee2dcc115f5fc8f074fa56ffd484aac9, - sha1=d36e846202330271d43c425fb4674e71720dfd47, - sha1=8d3f65f067fe1fc090174dcac53eb9c0fb46edc6, - sha1=4dec324ebeef3a9aef57cc71c6b1b5e530412a4e, - sha1=3a96e920f70f252cba1f5e43ea386aec0d1fb704, - sha1=f521451fd6083aa2a91c32091da1908eb8c86866, - sha1=ef275035b54da5edff5b7f802135f2ff0c687fff, - sha1=c2122c796f1afdf94f3aeaa539fdd2d30807c555, - sha1=951206a961f3c679c8e32dbbcec66ed75ca9f117, - sha1=76e3fd90eae759db964fc5af6d1a31e74bd6d9b4, - sha1=4fc5f6704008898447313ccde4f8ede7de91078dTitle: Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionageLink: https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionageSummary: The text details the cyber espionage activities of a threat actor known as Secret Blizzard, attributed to Center 16 of Russia's Federal Security Service (FSB). This group has utilized backdoors and malware, such as TwoDash and Statuezy, within the Storm-0156 infrastructure—associated with various threat activity clusters including APT36—to compromise governments and defense-related organizations primarily in South Asia, particularly Afghanistan and India. Over the past seven years, Secret Blizzard has strategically exploited the tools and infrastructure of other threat actors, leveraging their access to facilitate espionage operations targeting sensitive information related to international political affairs.Threats: turla_group storm-0156_group aitm_technique tinyturla twodash statuezy minipocket wainscot crimson_rat transparenttribe_group sidecopy_campaign amadey tavdig kazuar oilrig_group andromeda kopiluwak quietcanary tomiris_group dll_sideloading_technique meterpreter_tool reverserat_rat Trojan:Win32/TinStrut.A Trojan:Win64/PostGallery.AIndicators of compromise:-------------------------ip: 45[.]14[.]194[.]253, 94[.]177[.]198[.]94, 162[.]213[.]195[.]129, 46[.]249[.]58[.]201, 95[.]111[.]229[.]253, 146[.]70[.]158[.]90, 143[.]198[.]73[.]108, 161[.]35[.]192[.]207, 91[.]234[.]33[.]48, 154[.]53[.]42[.]194, 38[.]242[.]207[.]36, 167[.]86[.]118[.]69, 164[.]68[.]108[.]153, 144[.]91[.]72[.]17, 130[.]185[.]119[.]198, 176[.]57[.]184[.]97, 173[.]212[.]252[.]2, 209[.]126[.]11[.]251, 37[.]60[.]236[.]186, 5[.]189[.]183[.]63, 109[.]123[.]244[.]46domain: ur253[.]duckdns[.]org, connectotels[.]net, hostelhotels[.]neturl: hash: - sha256=e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273, - sha256=08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2, - sha256=aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c, - sha256=7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2, - sha256=dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced, - sha256=7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912, - sha256=e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381, - sha256=c039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a, - sha256=59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
The provided article digest is extremely high-level, focusing on listing reported threats and associated IOCs rather than providing detailed reports on specific threat actors, their campaigns, motivations, or TTPs. Therefore, the summary below is constrained by the depth of the source material.
# Threat Actor: Undetermined Actors Associated with Listed Malware/Campaigns
## Attribution & Identity
Specific actor attribution is not provided in this source. The summary mentions several groups and campaigns that may be associated with the identified malware families: `horns-hooves_group`, `mustard_tempest_group`, `ta569_group`, and the `smartapesg_campaign`. Further analysis linking named groups to specific TTPs or IOCs is required.
## Activity Summary
The source material is a digest noting the reporting of several distinct threats/groups/campaigns: `horns-hooves_group`, `mustard_tempest_group`, `ta569_group`, and `smartapesg_campaign`. The activity centered around the use of remote access tools (`netsupportmanager_rat`, `burnsrat`) and standard Windows utilities (`bitsadmin_tool`, `rms_tool`).
## Tactics, Techniques & Procedures
The following techniques and associated malware/tools were observed:
- Use of **NetSupport Manager RAT** (Likely Initial Access/Execution or C2)
- Use of specific malware/tool: **burnsrat**
- Use of native Windows utilities for execution/download: **bitsadmin_tool**
- Use of **rms_tool** (Requires further context, possibly related to defense evasion or scripting)
- Technique noted: **dll_sideloading_technique** (Indicates possible execution/defense evasion methods)
- Association with the **rhadamanthys** and **meduza** threats (Names may imply specific capabilities or modules used).
## Targeting
Targeting information (Sectors, Geography, Victims) is **not specified** in the provided source material.
## Tools & Infrastructure
- **Malware Families/Tools:** `netsupportmanager_rat`, `burnsrat`, `rms_tool`
- **Infrastructure (IOCs observed):**
- **IPs:** `193[.]42[.]32[.]138`, `188[.]227[.]58[.]243`, `188[.]227[.]106[.]124`, `45[.]133[.]16[.]135`, `87[.]251[.]67[.]51`
- **Domains:** `xoomep1[.]com`, `xoomep2[.]com`, `labudanka1[.]com`, `labudanka2[.]com`, `gribidi1[.]com`, `gribidi2[.]com`, `shetrn1[.]com`, `shetrn2[.]com`, `golden-scalen[.]com`
- **Observation:** Multiple domains appear structured in pairs (e.g., xoomep1/2, labudanka1/2), suggesting disposable or rotating infrastructure.
## Implications
The continued use of legitimate remote administration tools (like NetSupport Manager) mixed with custom malware (burnsrat) suggests threat actors are focusing on effective persistence and C2 capabilities, likely exploiting organizations that lack stringent monitoring of legitimate administrative software. The mention of TA569 implies potential large-scale email-based phishing distribution or significant financial motivation, though this link requires verification.
## Mitigations
- Implement strict application allow-listing, specifically targeting unknown or unsanctioned use of remote access tools like NetSupport Manager.
- Monitor for the execution of native Windows tools like `bitsadmin` used in unusual patterns (often leveraged for downloading payloads).
- Investigate and implement defenses against DLL Sideloading, particularly for applications running with elevated privileges.
- Block all listed associated domains and IPs at the network perimeter.