May 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2021-23382 – Node.js postcss Module Denial of Service
April 27, 2021Rewterz Threat Alert – Formbook Malware – Active IOCs
April 27, 2021Rewterz Threat Advisory – CVE-2021-23382 – Node.js postcss Module Denial of Service
April 27, 2021Rewterz Threat Alert – Formbook Malware – Active IOCs
April 27, 2021
Severity
Medium
Analysis Summary
Nanocore is a high-risk RAT (remote access tool) that provides attackers with user information like device name and OS. Malicious activities like hijacking webcam and microphone, manipulating confidential files, and stealing login credentials are performed by this malware. The nanocore attack starts with a phishing attempt where a victim unwittingly downloads or clicks on an attachment, the trojan is uploaded on the device, business-critical data and financial information of the victim are stolen through the keylogger, and the information is moved to another server that is owned by the hackers (initiating ransomware).
Impact
- Credential Theft
- Unauthorized Access
- Theft of Sensitive Information
Indicators of Compromise
IP
- 5[.]79[.]72[.]163
- 172[.]245[.]45[.]28
- 31[.]210[.]21[.]252
- 13[.]107[.]42[.]12
- 162[.]159[.]133[.]233
- 162[.]159[.]130[.]233
- 13[.]234[.]19[.]200
- 140[.]82[.]121[.]3
- 45[.]14[.]226[.]221
- 162[.]159[.]135[.]233
SHA-256
- 604c136af82b7db06cad322c69245e95949996913e61eac7ebba3afc8ed9bafd
- e48629bdaa203994ac62bb4e4eec52e7b83afb30be4e512575a53994f169d627
- 698d686ce288fb2943f7587b30d1dfa01f0ba1f5e3de8be766770ee98f945acf
- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- d1d2f731610302e9544bde2ab804a4d56bb534d0ebb03b81a3168aa016e02653
- 02e09cc51184e588ff0b53fd7fe85ccb135ba0f7f3c56d8774ad33509afc26e7
- d6115967cb6d42bcd92e2751bafb4a2560d393c81c48c8d0db54e3c7497a27b8
- b3304ac19971290559ce891d411fe5d471c3a4bab175580cafdd9723cf9d885a
- 6ed5d8bcb04e3b9f530e4f4b3d4e09b686117274da11d17a40e81810d26419c9
- 98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343
URL
- https[:]//u[.]teknik[.]io/ZaZNB[.]txt
- http[:]//172[.]245[.]45[.]28/img/america/white/againn[.]exe
- http[:]//twart[.]myfirewall[.]org/taskmgrs[.]exe
- https[:]//4et3ja[.]am[.]files[.]1drv[.]com/y4mjINkaNf-Zc9sBaj-nab2D-2tIHvNaWWMQU2Hi5WoL7vr2JZuV811GwvnYTJzgWhm9tjxkJj47EGkcx08mnOoQtBl_k9PMD8hqLwOKm1jzqpPiguwRiVsMPxYi8BTWkrpbA6J3ODHvEwvUuSuLRQLmhRsEn4TtVAFFUoxvHccdI9jm6QLq4zc7ntQfgQ9zaaoSUongaRcCpppg6dltBA/CI0911242313[.]PNG[.]z?download&psid=1
- http[:]//cdn[.]discordapp[.]com/attachments/826630317170229249/827102140865839114/svchhost[.]exe
- http[:]//cdn[.]discordapp[.]com/attachments/800523301029150750/825206716932161567/csgo[.]exe
- http[:]//covid19vaccine[.]hopto[.]org/file%20ray[.]exe
- https[:]//github[.]com/servcloudbackup/framework/raw/main/Update%20of%20the%20OFFICE%20PACK[.]xlam
- http[:]//45[.]14[.]226[.]221/cdfe/Fack[.]jpg
- https[:]//cdn[.]discordapp[.]com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment
