Remember the AirIndia hack which had shocked the world ?

Group-IB had released the statement last week on which they told that they have got the moderate confidence to prove the link between AirIndia cyberattack with the Chinese threat actor known as “APT41”.

“After the attackers established persistence in the network and obtained passwords, they began moving laterally. The threat actor collected information inside the local network, including names of network resources and their addresses.” stated in the statement.

Additionally, Group-IB had pointed out that the compromised devices where identified to be from different subnets, which indicates that the compromise affected different segments in the network.

Group-IB had given the name of campaign as “ColunmTK” which was derived from the initially discovered domain names

  • ns2[.]colunm[.]tk;
  • ns1[.]colunm[.]tk.

Below snapshot from Group-IB depicts the techniques and tactics used by this threat actor as a reference.

Indicators of Compromise:

Network indicators:

  • 185.118.164[.]198;
  • 104.224.169[.]214;
  • 45.61.136[.]199;
  • 185.118.166[.]66;
  • 149.28.134[.]209;
  • colunm[.]tk.
File nameMD5
install.bat20aebf6e20c46b6bfe44f2828adf3b91
SecurityHealthSystray.dllb6b06a95cfeeee0efe8bc0cd54eac71d
SecurityHealthSystray.ocx83249cff833182b3299cbd4aac539c9a
BadPotatoNet4.exe143278845a3f5276a1dd5860e7488313
COMSysUpdate.dll559b7150d936fffe728092b160c14d28
install.bat9337952aa3be0dacfc12898df3180f02
SecurityHealthSystray.ocx212784cf25f0adfaf9ba46db41c373d5
COMSysUpdate.ocxd414c7ede5a9d6d30e6d3fe547e27484
ntoskrnl.exe83e6da9cd8ccf9b0c04f00416b091076
COMSysUpdate.dll7b501402c843034cd79151257aca189e
COMSysUpdate.ocx69f5c5f67850acdb373ddd106adce48c
SecurityHealthSystray.dllb071a62d2dd745743c6de5f115d633b1
SecurityHealthSystray.ocx019122b1d783646f99c73a3c399cc334
install.batf61dbac694d34c96830f184658610261
SecurityHealthSystra.ocxfc208a4d04c085edcea1ec5f402057f9
SecurityHealthSystray.dll5528bb928e02926179fca52dd388b1f0
SecurityHealthSystray.dllb8ecab09b7bfb42b9ace3666edf867a7
SecurityHealthSystra.ocxc4be6b466807540a22f62ffa6829540f
SecurityHealthSystra.ocxa00ab8ac0f11c3fcd5c557729afcbf89

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Published by oxytivetech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s