Request a Demo
Rewterz
Rewterz Threat Alert – Vidar Malware – Active IOCs
January 4, 2022
Extended Detection and Response (XDR): The Next Big Thing In Security?
January 11, 2022

Rewterz Threat Alert – APT21 aka BlackTech Targeting East Asian Countries – Active IOCs

Severity

High

Analysis Summary

Tracing back activities to 2010, BlackTech is a commercial cyberespionage group that targets including finance, government, education, and technology. Their main motive remains around gathering sensitive information and data including confidential documents for their financial gains. Their common methods are spear-phishing emails that target specific individuals and targeted organizations. Threat actor uses Trojan horses such as Plead, TSCookie, Gh0st, and Bifrose made for covert computer surveillance. With their ties linked to China, they have attacked more than 40 countries for their gains and continue to expand their operations towards other countries. Countries that are targeted by these threat actors are Hong Kong, India, Indonesia, Iran, Japan, Jordan, Kazakhstan, Kyrgyzstan.

Impact

  • Data exfiltration
  • Information theft and espionage

Indicators of Compromise

Domain Name

  • org[.]misecure[.]com
  • update[.]centosupdates[.]com

IP

  • 45[.]76[.]184[.]227
  • 45[.]32[.]23[.]140
  • 139[.]162[.]87[.]180
  • 107[.]191[.]61[.]40
  • 172[.]104[.]109[.]217

MD5

  • 287d612e29b71c90aa54947313810a25
  • 11746ae92be83ba28b05272fe03780d6
  • 8f7205aaf80ce4b5d0ee8f00369f301a
  • 8904341c8d4f2c339775524f38bba304
  • 8d3e29bd96352a306022393e94a7270b
  • fd695898fe6a205ccc86d920d8ec6a9b
  • 1b39dcc5de43d2840d6992a561e34eec

SHA-256

  • 54e6ea47eb04634d3e87fd7787e2136ccfbcc80ade34f246a12cf93bab527f6b
  • e197c583f57e6c560b576278233e3ab050e38aa9424a5d95b172de66f9cfe970
  • 655ca39beb2413803af099879401e6d634942a169d2f57eb30f96154a78b2ad5
  • 840ce62f92fc519cd1a33b62f4b9f92a962b7fb28c12d2f607dec0b520e6a4b2
  • ba27ae12e6f3c2c87fd2478072dfa2747d368a507c69cd90b653c9e707254a1d
  • 77680fb906476f0d84e15d5032f09108fdef8933bcad0b941c9f375fedd0b2c9
  • e81255ff6e0ed937603748c1442ce9d6588decf6922537037cf3f1a7369a8876

SHA-1

  • 8f35a9e70dbec8f1904991773f394cd4f9a07f5e
  • 7190a70241a58610a5f200daa253bc47b686a3d5
  • 401d3336eb33cf82eecb5df5c2ac6d5f7f78aa26
  • f9990d6aebd55d6e7b4012a5fa07578218309efc
  • 802e7e9bde53d254614268e4b78f03edb1db068d
  • f75a8b0e6af6a3447f1ea2f85089cfebaac7d936
  • abb567aadfbd5686b3fbed027dc297646e6bbf04

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.