March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – MuddyWater – Active IOCs
June 16, 2021Rewterz Threat Alert – APT SideWinder – Active IOCs
June 16, 2021Rewterz Threat Alert – MuddyWater – Active IOCs
June 16, 2021Rewterz Threat Alert – APT SideWinder – Active IOCs
June 16, 2021
Severity
High
Analysis Summary
In April 2021, a suspicious Word document with a Korean file name and decoy was detected. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, researchers came to the conclusion that the Andariel group was behind these attacks. Andariel is considered a sub-group of Lazarus. The threat actor has been spreading the third stage payload from the middle of 2020 onwards and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. In addition to the final backdoor, one victim was discovered getting infected with custom ransomware. It adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.
Impact
- Credential theft
- Data Exfiltration
- Information Disclosure
Indicators of Compromise
IP
- 198[.]55[.]119[.]112
- 45[.]58[.]112[.]77
- 23[.]229[.]111[.]197
- 185[.]208[.]158[.]208
MD5
- ed9aa858ba2c4671ca373496a4dd05d4
- 71759cca8c700646b4976b19b9abd6fe
- 3ba4c71c6b087e6d06d668bb22a5b59a
- d5e974a3386fc99d2932756ca165a451
- f4d46629ca15313b94992f3798718df7
- 118cfa75e386ed45bec297f8865de671
- 53648bf8f0121130edb42c626d7c2fc4
- 1bb267c96ec2925f6ae3716d831671cf
- 0812ce08a75e5fc774a114436e88cd06
- 145735911e9c8bafa4c9c1d7397199fc
- f3fcb306cb93489f999e00a7ef63536b
- 0ecfa51cd4bf1a9841a07bdb5bfcd0ab
- 4d30612a928faf7643b14bd85d8433cc
- df1e7a42c92ecb01290d896dca4e5faa
- ef3a6978c7d454f9f6316f2d267f108d
- 33c2e887c3d337eeffbbd8745bfdfc8f
- bf4a822f04193b953689e277a9e1f4f1
- 6e710f6f02fdde1e4adf06935a296fd8
- 38917e8aa02b58b09401383115ab549e
- 67220baf2a415876bee2d43c11f6e9ad
- 3bf9b83e00544ac383aaef795e3ded78
- 159ad2afcab80e83397388e495d215a5
- 8b378eabcec13c3c925cc7ca4d191f5f
- 5b387a9130e9b9782ca4c225c8e641b3
- 62eae43a36cbc4ed935d8df007f5650b
- eef723ff0b5c0b10d391955250f781b3
- d1a99087fa3793fbc4d0adb26e87efce
- d63bb2c5cd4cfbe8fabf1640b569db6a
- fffad123bd6df76f94ffc9b384a067fc
- abaeecd83a585ec0c5f1153199938e83
- 569246a3325effa11cb8ff362428ab2c
- 3b494133f1a673b2b04df4f4f996a25d
- fc3c31bbdbeee99aba5f7a735fac7a7e
- d96fcd2159643684f4573238f530d03b
SHA-256
- f1eed93e555a0a33c7fef74084a6f8d06a92079e9f57114f523353d877226d72
- 79e15cc02c6359cdb84885f6b84facbf91f6df1254551750dd642ff96998db35
- a6ed3fe39d0956182c0ba9b57966cb8ae84ea029aa8d726f5bef9e7637f549f8
- 0193bd8bcbce9765dbecb288d46286bdc134261e4bff1f3c1f772d34fe4ec695
- 0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c
- ed5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05
- 2dff6d721af21db7d37fc1bd8b673ec07b7114737f4df2fa8b2ecfffbe608a00
- 6310cd9f8b6ae1fdc1b55fe190026a119f7ea526cd3fc22a215bda51c9c28214
- b59e8f44822ad6bc3b4067bfdfd1ad286b8ba76c1a3faff82a3feb7bdf96b9c5
- ab194f2bad37bffd32fae9833dafaa04c79c9e117d86aa46432eadef64a43ad6
- f4765f7b089d99b1cdcebf3ad7ba7e3e23ce411deab29b7afd782b23352e698f
- f6ab4e92dadd831dbc02a3cc27d2f6aee4f39e1743485638c8aa2c09341eda49
- 1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4
- 4da0ac4c3f47f69c992abb5d6e9803348bf9f3c6028a7214dcabec9a2e729b99
- 9137e886e414b12581852b96a1d90ee875053f16b79be57694df9f93f3ead506
- d26987b705f537b10a11fb9913d0acc0218a0c0ae5f27e6f821d6d987b1cd4c7
- b0d6aee39e988196fdc821895a1f1aa63d1c032ea880c26a15c857068f34bfd9
- 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
- f13aff9e1192c081c012f974b29bf60487385eed644d506d7f82b3538c2b035f
- 0e447797aa20bff416073281adb09b73c15433ab855b5cdb2d883f8c2af9c414
- 4d03a981bed15a3bd91f36972d7391b39791c582bb2959a9be154a74bd64db31
- 69bac736f42e37302db7eca68b6fc138c3aa9a5c902c149e46cce8b42b172603
- e83f5e0a51845d7078a3aca8ca7a5b786e8bdf284efd3e08b3472dbf3e098930
- 1892b72c053ab48edae8305ef449f2b5391921efea8b1d7c37d6d29f59edc92e
- 7d7dc8125a26d9515d90a66bfd20d609820197c879030cb932d39b1c2998e9d4
- 87f389d8f3a63f0879aa9d9dfbbd2b2c9cf678b871b704a01b39e1eaa234020c
- 0dc3f66f4af3250f56a32f8e1b9e772c514f74718358d19c195e3950d370ea01
- d0fa0bfef8b199a42f4f33145274576e5a7edeb5522fb342af41fdc16e9021e2
- da787cf1f4fd829dd4a7637bec392438b793c5f9c920560197545d20b58691af
- d231f3b6d6e4c56cb7f149cbc0178f7b80448c24f14dced5a864015512b0ba1f
- ebe4befd2a7f941baa65248d5dea09de809e638ec8e8caffae322aa3b6863c1c
- f62adc678eaadc019277640e6695143a45336c2f91019f5d9308812db1d07285
- 2f53109e01c431c1c1acec667adee07cf907cdc4d36429022f915654c9b7113b
- ce534eb8de37b392b25546bfd1bb3c95c96ae6d14524a9241d2fffc02ae7b9c5
SHA1
- 997885451c6629d5da8fd9bd70f0f9977eb8787a
- dbdb4a74fc9c9cd1e1607007dcc04f92b74b2b3a
- e586f9a84c467401db3f492ff7aaf88e3686f415
- 02483dd58e0171881d33a6a66b22a8b1052bcea7
- 98d6417addec8607f1b62cc52123be76424befc0
- 43ef1dd0097da941dbcf64f00a790d6aae3a82f4
- 6d264e102fc281bb79243b3171d38a23f44a8de2
- 5bb9faff8ff2b79700529cea46bc24814ce3ab33
- d13f289c9dcc9aededdfcde7eabc75d35a240372
- d0c8a7efa1d9e7b9b8a570075a0df16fe2f3c67e
- 727945fa45fd748f0ce03e0b8468e8fab3b05bc4
- a0828781b770914f15d7c81f44a953cb7d0f0010
- f632336918ab18ba397a5dd2f956d58c58a5f6ab
- a01318a2ae2cd1cc83c4c8531f8e6c4f9e3306b3
- f72cfe9b09c196f62da6bdc99dca6266bfb1a065
- df694ff44fe7d43dcc1d7eedd33253839347bbeb
- 032678cd7f48a6f5a1516daf897d05953076a4ce
- ab76f74f61428d15ab4e1dacc0824d1770c34689
- 64b4c02d1d42b36bc87a7b5d92a287b1b3b15328
- 6b441c1f107ebad85e01b87dbbdbaa18ef2b41c5
- 0eb4e40416ce2c1df30a01bc54bb21b17370b966
- ca7c2f05f49e9208ddc252e44812c2bdbbedcb80
- 4bc32527b96ba5a0d37f6ad182974c2c8c97a4a7
- 226fe3317091d2f8c615b795ec1eeed69e530ec4
- c85f661a53b9deab53100670200a5a0e745c134c
- 35a4287e9688a83bf22aa5af35e2b35f9e9e84a6
- ff57e56c9ffeb0c66ef6e23edbd5124dfba96c59
- 01e0ccc0abb31b624c024933361637779fd8f368
- 6a6f362e4d93bd7dc1342c0c6c329dfb46b92925
- f890ca1860cd53dda6d97ef7616baf26ef3686a7
- faa5068d6129c5e6d2304f83fec63ed1e1901d0c
- 5028fd6fcbd431ada4bbabdb32cf4f0412a328ec
- 5e0ecb4f8776d4273d3e35bab784fc2d5689c625
- a2831445c73e6010e3ca50678fb5d49fbce13347
URL
- hxxp[:]//ddjm[[.]]co[[.]]kr/bbs/icon/skin/skin
- hxxp[:]//mail[[.]]sisnet[[.]]co[[.]]kr/jsp/user/sms/sms_recv
- hxxp[:]//snum[[.]]or[[.]]kr/skin_img/skin
- hxxp[:]//www[[.]]allamwith[[.]]com/home/mobile/list
- hxxp[:]//www[[.]]conkorea[[.]]com/cshop/banner/list
- hxxp[:]//www[[.]]ddjm[[.]]co[[.]]kr/bbs/icon/skin/skin
- hxxp[:]//www[[.]]jinjinpig[[.]]co[[.]]kr/Anyboard/skin/board
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.