Request a Demo
Rewterz
Rewterz Threat Alert – Remcos RAT – Active IOCs
July 15, 2021
Rewterz
Rewterz Threat Advisory – CVE-2021-1422 – Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Vulnerability
July 16, 2021

Rewterz Threat Alert – Kimsuky APT Group – Active IOCs

Severity

High

Analysis Summary

The North Korean advanced persistent threat (APT) group Kimsuky has been found to be distributing a fake Korean Internet and Security Agency (KISA) app via malicious emails. A mobile malware researcher has shared information about a fake KISA vaccine or security android app disguised as the KISA security program. When the target downloads the APK implanted file from the email and installs the application on his device, the malicious code does its job. It executes in the background without the target’s knowledge and collects sensitive information from his device.

Impact

  • Watering hole attacks
  • Keyloggers
  • Remote Access Connections

Indicators of Compromise

MD5

  • 8a7686430d9ad2832e8a4c3992186b36
  • 3a0d0f6141bedffca45843ef81c73d10
  • e98252b09d1eeee99ed087a3ea8668cd

SHA-256

  • 567d0baa21036ee79b9380e4aa53917f1f816676ebcd060bfdd4959e2b40300a
  • 991d4f92e3ceb5c34154cde4f417ab17ff43719769a5485570f9090d0600bcdd
  • 41186d953408b7df43226258359f517d5cb7b00c026804a2222bc481fd36113c

SHA-1

  • e930fe7c15aaa7c1f1a9fa0898b1d9549eacb217
  • 7b8a2bcd2c987b92719c89ed45964a12ccb69531
  • 53936f10f4ca6e9450f0ac72d5dc9ca4db414a87

URL

  • http[:]//tbear[.]mypressonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//btige[.]myartsonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//tbear[.]mypressonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//stair[.]myartsonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//ccav[.]myartsonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//visul[.]myartsonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//modri[.]myartsonline[.]com/officeDocument/2006/relationships/BIO[.]dotm
  • http[:]//ranso[.]myartsonline[.]com/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//lieon[.]mypressonline[.]com/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//chels[.]mypressonline[.]com/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//warcr[.]onlinewebshop[.]net/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//jupit[.]getenjoyment[.]net/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//ripzi[.]getenjoyment[.]net/Package/2006/relationships/InterKoreanSummit[.]dotm
  • http[:]//lovels[.]myartsonline[.]com/ys/ha[.]txt
  • http[:]//lovel[.]myartsonline[.]com/le/ej[.]txt
  • http[:]//visul[.]myartsonline[.]com/yk/yo[.]txt
  • http[:]//vbqwer[.]mypressonline[.]com/test[.]log
  • http[:]//tbear[.]mypressonline[.]com/test[.]txt
  • http[:]//obser[.]mygamesonline[.]org/nw[.]txt
  • http[:]//modri[.]myartsonline[.]com/gu/nw[.]txt
  • http[:]//warcr[.]onlinewebshop[.]net/le/eh[.]txt
  • http[:]//stair[.]atwebpages[.]com/ne/la[.]txt
  • http[:]//giruz[.]atwebpages[.]com/sw/cu[.]txt
  • http[:]//benze[.]atwebpages[.]com/ki/mc[.]txt
  • http[:]//rster[.]atwebpages[.]com/an/ce[.]txt
  • http[:]//mantc[.]getenjoyment[.]net/ya/ng[.]txt

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.