cyber attack

TA428 Targeting Russia and Mongolia IT Companies

The TA428 APT organization is believed to have participated in attacks against various government and private IT entities in Russia and Mongolia. The event first appeared on January 21, 2021, and it seems to be continuing. Based on the infrastructure, strategies and victim organizations used by TA428, it is assessed that this attack is mainly targeted at the information technology institutions of the Russian and Mongolian governments.

The organization has been active since 2013, using customized toolsets for the IT, scientific research, internal affairs, diplomacy, politics, and financial industries. NTT researchers discovered in February 2021 attacks against East Asian defense and aviation organizations in Russia and Mongolia. The researchers assessed that the organization may continue to participate in attacks against Russian and Mongolian organizations.

is using counterfeit domain names that mimic the themes of Mongolian and Russian news websites, and it also includes two subdomains of the U.S. News Agency.

    aircraft.tsagagaar [.] with
    nubia.tsagagaar [.] with
    gazar.ecustoms-mn [.] with
    govi-altai.ecustoms-mn [.] with
    gogonews.organiccrap [.] with
    niigem.olloo-news [.] com
    oolnewsmongol.ddns [.] info
    bloomberg.mefound [.] with
    bloomberg.ns02 [.] biz

malicious software

x86.dll is designed for 32-bit environment, and x64.dll is designed for 64-bit environment. Once executed, the DLL file will release two files: PotPlayerMini.exe (a legitimate executable file vulnerable to DLL hijacking) and PotPlayer.dll (a PoisonIvy payload). Execute PotPlayerMini.exe to load the malicious PoisonIvy DLL. In this case, the DLL is configured to be linked to the domain nubia.tsagagaar [. ] com communication. Use the EternalBlue vulnerability to move laterally and inject the initial DLL file into the lsass.exe process on the target host.

ta428

IOCs

103.125.219.222
103.249.87.72
45.76.211.18


aircraft.tsagagaar.com
ecustoms-mn.com
f1news.vzglagtime.net
gazar.ecustoms-mn.com
govi-altai.ecustoms-mn.com
news.vzglagtime.net
niigem.olloo-news.com
nubia.tsagagaar.com
olloo-news.com
oolnewsmongol.ddns.info
bloomberg.mefound.com
bloomberg.ns02.biz
nmcustoms.https443.org
gogonews.organiccrap.com
tsagagaar.com
vzglagtime.net


45b1fe53c883d43b27a6026e402c5b12
89eb45d4bc160c50c1ca74a572dce78e
4a2070bd771d0f11f0c419ff12ebb738
421fe8ea68be5baa19b6acdb39d69ba9
cb5716cb27f4465e0f63da7cf0014a2699c92283
c55f90b622f8ed91889a4fae15377896d031e2c8
57141b39d064a8d894cdf15002e316006d0b6de6
c068039d6b03b4c510d008ba6edc34c1df2d77a0
1145d39ce42761862eeb7c46500b3fc5cd0dcd9c0fed35623b577b01d0ec3c8e
15ce51dd036231d1ef106cd499c7539e68b195a5b199150a30aa2ba41d3076fb
33c0be46fea3a981ae94c1ae0b23c04a763f8318706bd9f7530347f579a2282e
3a5828fe5e55e52f041ad8d67b12a6fc23ec2d2d37a6adde59139d523f1dfc8b