Request a Demo
Rewterz
Rewterz Threat Advisory – Multiple NETGEAR R7800 Security Vulnerabilities
March 1, 2021
Rewterz
Rewterz Threat Advisory – Apache Tomcat code execution
March 2, 2021

Rewterz Threat Alert – Group 21 Targeting South Asia

Severity

High

Analysis Summary

Group 21 targeted a range of sectors in South Asia with spear-phishing emails. The mails contained a malicious attachment which dropped a backdoor on the infected system to steal sensitive information. The threat actor has been in operation since at least 2017. It uses many techniques for persistence and defense evasion including PowerShell, mshta, obfuscation, and scheduled tasks. This comes at a crucial time when Pakistan India are progressing towards important aspect of peace negotiations after a tense last year. 

Image

Impact

Information theft and espionage

Indicators of Compromise

Domain Name

  • mail[.]navy[.]mil[.]bd[.]mailupdatenavybdzimbra[.]gov-pk[.]org
  • mfamail[.]foreign[.]gov[.]mv[.]mfamailzimbraupdation[.]gov-pk[.]org
  • mail[.]paec[.]gov-pk[.]org
  • pakcert[.]gov-pk[.]org
  • mailupdatenavybdzimbra[.]gov-pk[.]org
  • mfamailzimbraupdation[.]gov-pk[.]org
  • ymailserviceauthentication[.]gov-pk[.]org
  • mlibinternetbanking[.]gov-pk[.]org
  • nccs[.]pk-gov[.]org
  • nitb[.]pk-gov[.]org
  • cert[.]pk-gov[.]org

SHA-256

  • 83BAC454581249FB89706B61B1B115F0505F76F026870A7EA5507F2E7F9F738C
  • 9BC75C69EAD3C8AE7297911C3603CECC3F3D3C739CD5EBB60B111AF1939C6952
  • 36B19E8B6F3C43F6BBDE304B99186D2D59FA9A4F48EEA20244709CF0EE18CE88
  • A22F63FA3D752D6F80B2E32F03164F62D9D5A632607F7BA2CC6D2A406F387FD9
  • 35118D4ED995388333E3BCD09E9981F1006BF81AB54AB54B4F6BE028FDE948B2
  • 63AE50C03104AB4B94D4602442B1798B8081C44F0141217D2D90C32249858D79
  • 54CAD1CAE0843405168A114A754DDBEAFE4BD10DE97A7F07DA24EE174157AE49
  • F8983BC0ED39FC9DD4675EAC5A02C7C24B0A9E57C34865BBE9F7117D4AD8321C
  • 74BA500ED48A230B7DA3F057D2E114267F283B32CCB8BC3E56E16A0C11AB722B
  • 8FB17BE82E6998740E2C17D49012FBD475FCAF8B2ECF8990D996A30B1061CDDF
  • 0E6FADC64284167473BFC8EB22987852A8A8E8CB323548D2E2EFDFB26354ADB3
  • F5026999207600EB4C63C03C2679D46E1A3EC8E25696810D9C7F74721F4D59EB
  • 6C4C4981DE2C85E8B8222A704FBDF6E07209868CE68C3B4DFAF9503F0652E3EC
  • 75592B43B8EBF15D880530318DCDECC4901A697015D06ED99E0FFF3CE5A90B99

URL

  • http[:]//pakcert[.]gov-pk[.]org/poilkjmnb
  • http[:]//pakcert[.]gov-pk[.]org/zaqxswcderfv[.]hta
  • http[:]//pakcert[.]gov-pk[.]org[:]443/admin/get[.]php
  • http[:]//pakcert[.]gov-pk[.]org/zxcvqwerasdf
  • http[:]//pakcert[.]gov-pk[.]org/zaqxswcde[.]hta
  • http[:]//pakcert[.]gov-pk[.]org/mnbvcxz
  • http[:]//pakcert[.]gov-pk[.]org[:]443
  • http[:]//pakcert[.]gov-pk[.]org[:]443/news[.]php
  • http[:]//pakcert[.]gov-pk[.]org/CNS_Guidelines_2019[.]zip
  • http[:]//pakcert[.]gov-pk[.]org[:]443/login/process[.]php
  • http[:]//110[.]10[.]176[.]193[:]4443
  • http[:]//pakcert[.]gov-pk[.]org[:]4443/news[.]php
  • http[:]//pakcert[.]gov-pk[.]org/shipment[.]rar
  • http[:]//pakcert[.]gov-pk[.]org/zaqxswcde[.]hta[.]
  • http[:]//pakcert[.]gov-pk[.]org/zaqxswcderfv[.]hta[:]

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.