March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities
May 5, 2021Rewterz Threat Advisory – CVE-2021-1284 – Cisco SD-WAN vManage Software Authentication Bypass Vulnerability
May 6, 2021Rewterz Threat Advisory – Multiple Mozilla Firefox Vulnerabilities
May 5, 2021Rewterz Threat Advisory – CVE-2021-1284 – Cisco SD-WAN vManage Software Authentication Bypass Vulnerability
May 6, 2021
Severity
Medium
Analysis Summary
The financially motivated threat gang, referred to as UNC2529, is targeting many organizations in the US and other countries. The group shows professional and experienced coding of their malware and custom lures.
Although two distinct attacks took place at the end of 2020, three new malware families have been employed by the group. The malware is tracked as:
- DOUBLEDRAG
- DOUBLEDROP
- DOUBLEBACK
The phishing messages include links to a malicious website that serves the malware. The targeted organizations are mainly in the business sector, healthcare sector, retail sector, and engineering and manufacturing. In some attacks, weaponized Excel documents are used as a downloader.
The attackers used extensive use of fileless malware and obfuscation to evade detection and the backdoors employed in the attacks are very sophisticated.
“UNC2529 is assessed as capable, professional, and well resourced. The identified wide-ranging targets, across geography and industry, suggests a financial crime motive.” concludes the report which also included indicators of compromise and other technical indicators for the attacks.”
Impact
- Phishing
- Data Breach
Indicators of Compromise
MD5
- 4b32115487b4734f2723d461856af155
- 9e3f7e6697843075de537a8ba83da541
- cc17e0a3a15da6a83b06b425ed79d84c
- 1aeecb2827babb42468d8257aa6afdeb
- 1bdf780ea6ff3abee41fe9f48d355592
- 1f285e496096168fbed415e6496a172f
- 6a3a0d3d239f04ffd0666b522b8fcbaa
- ce02ef6efe6171cd5d1b4477e40a3989
- fa9e686b811a1d921623947b8fd56337
SHA-256
- c388f1fd17f0d2be18ce7f294beccb82cc805a38baab2ebcdf5aff83493b34d9
- ce5e4aaab3c22305c52637e3ebfdc851dda3e60f263cb03ccfe5cdca4c18e9e9
- 1e577b21c6c1c89530dd838961b128a25ea1507f870e03f4406b12f46d99da88
- 86158e1c5d4130a73b9cec9b20858b42a6345fc0267bf099ee431792c897799d
- d5aaec63bf670d653a1e3a79436f73b29e6be88cb65c78db8778b2dd14db8853
- 99a0c3a57918273a370a2e9af1dc967e92846821c2198fcdddfc732f8cd15ae1
- 2989581e8a8e3a756ec9af84ff6692526e440349c668e8636e3d10d452995c95
- b3c94fdf4cf16a7d16484976cf8a4abac6d967a7ce8fa4fe9bde3da6d847792f
- f58a4f2b319297a256f6b2d77237804c15323dd5e72a0e3a4bfc27cdd0bb0b86
- 9d20722758c3f1a01a70ffddf91553b7a380b46b3690d11d8ba4ba3afe75ade0
- 8eada491e7fbd8285407897b678b1a3d480c416244db821cfaca0f27ab27901a
- 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA1
- f5807c2946093cc274d20950e3ed9cab10af4e16
- 7c71fcd437cca4c3653f3dad39067bb87abbcf5e
- 51e4a4e6f64fedc7a20921ee578f83be50b0831c
- 653f6938e5521cf70596fc4a3f1d8c8eef21959a
- 90177c060567990e289f746cd126975b9102d675
- 04d6674dbb0b863f0cd963900afce9826c2a488f
- 8306820209e008945315b4e5efd01ba597e4ee0e
- d39142655510cc61f17994489ee9de162bec772a
- 6fd0a05f1273f1a5cb79872c452266b5788fc0f3
URL
- http[:]//p-leh[.]com/update_java[.]dat
- http[:]//clanvisits[.]com/mini[.]dat
- https[:]//towncentrehotels[.]com/ps1[.]dat
- https[:]//klikbets[.]net/admin/client[.]php
- https[:]//lasartoria[.]net/admin/client[.]php
- https[:]//barrel1999[.]com/admin4/client[.]php
- https[:]//widestaticsinfo[.]com/admin4/client[.]php
- https[:]//secureinternet20[.]com/admin5/client[.]php
- https[:]//adsinfocoast[.]com/admin5/client[.]php
Remediation
- Download the latest patches.
- Practice strong security habits and be wary of suspicious emails.
- Install and update antivirus and malware protection software.