Rewterz Threat Advisory – CVE-2021-29704 – IBM Security SOAR Information Disclosure

August 24, 2021

Rewterz Threat Alert – Cerberus Banking Trojan – Active IOCs

August 24, 2021

Rewterz Threat Alert – KONNI APT Group – Active IOCs

August 24, 2021

Severity

High

Analysis Summary

Konni’s APT Group continues to attack malicious documents written in Russian. Konni’s APT Group conducts attacks with Russian-North Korean trade and economic investment documents. The vector used for the attack is probably the Spear Phishing method and has been reported in Korea. The malicious file suspected of being used as an attachment has the name Russia-North Korea-South Korea-Trade and Economic Relations-Investment.doc

These malicious documents used by Konni APT

The malicious DOC document file contains the following VBA code. If the [Use Content] button is clicked, the VBA malware included inside is activated. And the contents of the document are printed as follows, which makes the user dazzle like a normal document file. VBA code makes connections with malicious C2 servers contained in the ObjectPool zone. The attacker would communicate with the attacker’s server through a combination of instructions contained in the ObjectPool TextBox1 to TextBox3 data and content.

Impact

Exposure of Sensitive Data

Indicators of Compromise

Filename

economic relations[.]doc

MD5

b693e3d2f2cab550ad4f8c5722776498
ce866ae254de4cabd60a95abcc52c315
9b1ca0408e33c43970b87c4c380b134f
db7ed25a92793aba319c08d67ca8bb17
6f6606ed57b133f775927e34067b86aa

SHA-256

f702dfddbc5b4f1d5a5a9db0a2c013900d30515e69a09420a7c3f6eaac901b12
fccad2fea7371ad24a1256b78165bceffc5d01a850f6e2ff576a2d8801ef94fa
d283a0d5cfed4d212cd76497920cf820472c5f138fd061f25e3cddf65190283f
617f733c05b42048c0399ceea50d6e342a4935344bad85bba2f8215937bc0b83
80641207b659931d5e3cad7ad5e3e653a27162c66b35b9ae9019d5e19e092362

SHA1

6dc93db10d46cf777f9928803157dd16dc097e79
224fe06d61d2dc8d273a41d6dd83c9ce378719b9
2fadfaef5179fe69bfecbd9adebd8f6a50615fa4
a240a8bb7630d3a060dda875abbc9690b9b6fb8a
2e0168c630c0464f282d46abb17e1054c39af00e

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Rewterz Annual Threat Intelligence Report 2024 - Download Now

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

GitHub Tools Deployed in CrazyHunter Ransomware Campaigns – Active IOCs

North Korean APT Kimsuky aka Black Banshee – Active IOCs

Sophisticated BPFDoor Malware Detected Targeting Linux Systems – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Advisory – CVE-2021-29704 – IBM Security SOAR Information Disclosure

Rewterz Threat Alert – Cerberus Banking Trojan – Active IOCs

The Wait Is Over!

The Rewterz Annual Threat Intelligence Report 2024 is finally here.