Severity
Medium
Analysis Summary
APT C-23 also known as AridViper and Desert Falcon is active in the region targeting different sectors with their malicious documents. The group’s discovery came around March 2017 and their main target emerged as the Middle East. The group has previously faked an android app to deploy Android/SpyC23 mainly for spying, including reading notifications from messaging apps, call recording and screen recording, and with new stealth features, such as dismissing notifications from built-in Android security apps.
A new sample also seems to be used by APT-C-23. Once it gets executed, a document relating to information about EgyptAir is shown to confuse the victim and meanwhile RAT is executed to perform remote control.
Impact
- Data exfiltration
- Credential theft
- Theft of financial information
- Financial loss
Indicators of Compromise
Filename
- exe[.]pdf المريض باسل دراغمة_0
MD5
- d60edd62ea6f2965e663c1a4ed2fdea8
SHA-256
- f2f36a72cfb25cef74ff0ea8e3ad1c49c6dc3e128fd60a2717f4c5a225e20df2
SHA-1
- a519b14c39e1a992a86f985830e3102febfdb4e9
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.