February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Lapsus$ Ransomware Group Stole Samsung’s Data
March 10, 2022Rewterz Threat Advisory – IBM Guardium Data And DataPower Gateway Vulnerabilities
March 11, 2022Rewterz Threat Alert – Lapsus$ Ransomware Group Stole Samsung’s Data
March 10, 2022Rewterz Threat Advisory – IBM Guardium Data And DataPower Gateway Vulnerabilities
March 11, 2022
Severity
High
Analysis Summary
GhostWriter, a cyber espionage campaign targeting audiences in Poland, Latvia, and Lithuania, has now been linked to UNC1151. The campaign started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.
Impact
- Information Theft and Espionage
Indicators of Compromise
Domain Name
- tvasahi[.]online
- meta-ua[.]space
- creditals-email[.]space
- verify-mail[.]space
- verify-email[.]space
- bigmir[.]space
- mil-gov[.]space
- mirrohost[.]space
- ua-passport[.]space
- konto-verify[.]space
- weryfikacja-konta[.]space
- walidacja-uzytkownika[.]space
- weryfikacja-poczty[.]space
- akademia-mil[.]space
- kontrola-poczty[.]space
- walidacja-poczty[.]space
- ron-mil[.]space
- creditals-mirohost[.]space
- kontrola-poczty[.]site
- mirohost[.]online
- mirohost[.]site
- mod-mil[.]online
- mod-mil[.]site
Filename
- Operativna_informacia[.]chm
- paggingfile[.]dll
- Network access center[.]lnk
- droplet[.]vbs
- desktop[.]ini
MD5
- 98905083d8e1701731f998bcde4cea58
- d7e5b7119f8b17a4aa4a3544eceaf8c4
- 75ca758eb0429fbcdb78d76566ad2ae7
- 308a239e5ae12e15d21dccb98a490e31
- cc859282c0541d0d1feb37c7d7a2a4cf
SHA-256
- d723b6fbbdc27ad82794e9423187fff4a4f4ced69bfe175f75800863ffedfb70
- 9390bae396f6cb8b4be9b695f5dda2f8407c3b8c1b15b73cbc8571b921661a7b
- 0d1ea78cb2a3c1af8529a520c3bfc1f4121bfcc060b99e71c7c394934c4333e5
- a81651d5c1a3757bce7ccff44b8c40d054608fe6d3c77c56f9fa9464750cf721
- 6ded2617e028c5389a1faca6c3c4291efdf50b76b0b8bda1f0fc682851632c7a
SHA-1
- e62964354a1909b655342a48b2ee10ece820be1d
- 3607d24ce780952f40e7862a7e6516d8581090ca
- 31fbb8dd4ee535dec4d911e443751d7786c013e1
- 4b43956757c69017b372eb1dfb48e445c93129d9
- 7c94ee9a89c51d84b695e6e43a30af266eab8e33
Remediation
- Block all threat indicators at your respective control.
- Serch for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.