Rewterz Threat Alert – Unknown Threat Actors Targeting Pakistan’s Government Sectors with Netwire Malware

Rewterz Threat Advisory –CVE-2021-1572 – ConfD CLI Secure Shell Server Security Vulnerability

August 5, 2021

Rewterz Threat Advisory –CVE-2021-1585 – Cisco Adaptive Security Device Manager Code Execution Vulnerability

August 6, 2021

Rewterz Threat Alert – Unknown Threat Actors Targeting Pakistan’s Government Sectors with Netwire Malware – Active IOCs

Severity

High

Analysis Summary

Netwire malware first emerged in the wild in 2012. Used as a keylogger and password stealer including remote access trojan or RAT capabilities which gives complete control of the infected machine to the attacker. The malware itself has gone under several changes after its emergence. Used by APT groups for espionage and information theft campaigns, this time threat actors have targeted the Used by APT groups for espionage and information theft campaigns, this time threat actors have targeted NATIONAL CENTER OF GIS AND SPACE APPLICATIONS.

NATIONAL CENTER OF GIS AND SPACE APPLICATIONS (NCGSA) is developed to build capabilities in the space science and technologies with major focus on the research and technological advancements and to sustain human, research and entrepreneurial capacity in the field of space science.

Impact

Information Theft and Espionage
Data exfiltration
Credential theft from browsers

Indicators of Compromise

Filename

NCGSA-LAB-Credentials[.]docm
Draft-Minutes-NITB-MOITT[.]docm
162503037212b9de19d06662f0001DP4dZo[.]eml
doc[.]docx
Expr[.]exe
Expr[.]exe
95f69685b20176b657e731a05009c0a26c3b8519fb31e61e0b90d5afd03a92c9[.]bin
sysWow64[.]exe
CSD-Loyalty[.]apk
Host[.]exe
sysWow64-e1[.]exe

MD5

1355afb0319109758b550fda34c867e8
28dc287cc78e195386dc33564dfe449a
7fa3f99bd2bf8f4e712f090adf1c0735
5ab6454e68480864c966520dfbba162b
465689cb7d7ea7b0ffb6bf824dd7ad4a
32276ad1414f7b3fb21e82d945c8a44d
22df783f7881a7f6973028e21ca19d4f
b6ec09770ed5b34922b0cf56cb17bc95
ab5dac030dc5fc9ed802c0322168558b
026c1ce7e96a898c23a7ce9a567b9568
37d72d724e579d2801d518b08e3fac87
617e8cc54bb247091266826225553a25
715788fb520b3873db406fdf59521afa
60d234d54c25dcef19a64ded3a587072

SHA-256

66882db537a3166f60b45f65a56705d5e838b750cb45a0a54a0645d3793b572a
44ab959e070a76da9033cabaaebe69d3fc17d27ccf71660e5c2817611f0c4301
b54335fa9c9afffdb1729f2e7c808cfb6dc0d45ac0e3a375d611af4391ef459b
d4ddf955a25e9d3161cbc48756bbd4643d69cf0bbf7a2afb1199473724f8b65a
1949e4fa05996724af5216e92d421795859592d7a2e1dd4d5d89ce957afb54fd
29f3946a78fa904957d891badd4c600d5660478b7ea3f16bd91538daf492460f
c82c58a917b4f94621bb0115c03f5ee3889b869be9f21ad07c90cbf93c680690
95f69685b20176b657e731a05009c0a26c3b8519fb31e61e0b90d5afd03a92c9
ff19ff1ef5f01de34cb09af5f0d62d380cffc14d0c00482287fd2741e00abb22
db721c1c017aac9093dcaeb4049441ce9fd617f09388f844243b148846914c14
ad5de6e1a7f393ef127a65e7b5f52da1d8708a03f5f6fbb1e7076eb8ff223a82
4805d28aa8f1b7e46ea21facb9adcdc02bc499f268b0b30cef8ffa74417cf8e4
dbe60153ede523dc838e9289aa0b43c5022c182b85396381b96b5d44c1698e27
4f10d7a2e964aa6c91e4b2da80fe82f8a566ca8a541592a4789b48f4dba11581

SHA-1

69ec1aaabf720f4df63f94efd9eaca0aa839dcc1
206c311c2d77f7b9ec5131680af51f94101022af
21f65998b150b39b68ffa667f5cb5acc97157998
cdf965be26665a6531f1c1a1640e3d9f9097f411
ce5304afe53aa5d20858ed12bd90e22f05085ae2
1ce4a5b2af3a5630356fc6b290213fc43165bda9
f68504ff885b284cb8004cff875c8d7f9de84514
e3a1f983e122c264d0b1fbec8d1d3e22c88c5379
e49fe7a5fc72796f7be9d9913f45b6b509c1b062
ee63b68d581ad0653842ee101593ec3081533ca2
532edfb64740c9760936598e4aef8000f1033017
ddd79d174096dccf8c72c404de665a26d812fc38
096e3741fd8babb84d433fa9ccb866b4fe0435e3
7209018f3e29225363f92f7e04e35ca7001dcf39

Remediation

Block all threat indicators at their respective controls.
Search for IOCs in your environment
Never click on the link sent by unknown senders.
Always be suspicious about email sent by unknown senders.