Remember the AirIndia hack which had shocked the world ?
Group-IB had released the statement last week on which they told that they have got the moderate confidence to prove the link between AirIndia cyberattack with the Chinese threat actor known as “APT41”.
“After the attackers established persistence in the network and obtained passwords, they began moving laterally. The threat actor collected information inside the local network, including names of network resources and their addresses.” stated in the statement.
Additionally, Group-IB had pointed out that the compromised devices where identified to be from different subnets, which indicates that the compromise affected different segments in the network.
Group-IB had given the name of campaign as “ColunmTK” which was derived from the initially discovered domain names
- ns2[.]colunm[.]tk;
- ns1[.]colunm[.]tk.
Below snapshot from Group-IB depicts the techniques and tactics used by this threat actor as a reference.
Indicators of Compromise:
Network indicators:
- 185.118.164[.]198;
- 104.224.169[.]214;
- 45.61.136[.]199;
- 185.118.166[.]66;
- 149.28.134[.]209;
- colunm[.]tk.
| File name | MD5 |
|---|---|
| install.bat | 20aebf6e20c46b6bfe44f2828adf3b91 |
| SecurityHealthSystray.dll | b6b06a95cfeeee0efe8bc0cd54eac71d |
| SecurityHealthSystray.ocx | 83249cff833182b3299cbd4aac539c9a |
| BadPotatoNet4.exe | 143278845a3f5276a1dd5860e7488313 |
| COMSysUpdate.dll | 559b7150d936fffe728092b160c14d28 |
| install.bat | 9337952aa3be0dacfc12898df3180f02 |
| SecurityHealthSystray.ocx | 212784cf25f0adfaf9ba46db41c373d5 |
| COMSysUpdate.ocx | d414c7ede5a9d6d30e6d3fe547e27484 |
| ntoskrnl.exe | 83e6da9cd8ccf9b0c04f00416b091076 |
| COMSysUpdate.dll | 7b501402c843034cd79151257aca189e |
| COMSysUpdate.ocx | 69f5c5f67850acdb373ddd106adce48c |
| SecurityHealthSystray.dll | b071a62d2dd745743c6de5f115d633b1 |
| SecurityHealthSystray.ocx | 019122b1d783646f99c73a3c399cc334 |
| install.bat | f61dbac694d34c96830f184658610261 |
| SecurityHealthSystra.ocx | fc208a4d04c085edcea1ec5f402057f9 |
| SecurityHealthSystray.dll | 5528bb928e02926179fca52dd388b1f0 |
| SecurityHealthSystray.dll | b8ecab09b7bfb42b9ace3666edf867a7 |
| SecurityHealthSystra.ocx | c4be6b466807540a22f62ffa6829540f |
| SecurityHealthSystra.ocx | a00ab8ac0f11c3fcd5c557729afcbf89 |
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1