Rectifyq

2018-04-23 New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia

2 min read

📃Title: New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia
📅Date: 2018-04-23
🔗References:

🔖Rectifyq Taxonomies:

🔖MISP Galaxies:

  • producer Symantec
  • sector=“Health”
  • sector=“IT”
  • sector=“Logistic”
  • sector=“Manufacturing”
  • target-information=“Germany”
  • target-information=“Hong Kong”
  • target-information=“Hungary”
  • target-information=“India”
  • target-information=“Malaysia”
  • target-information=“Philippines”
  • target-information=“Poland”
  • target-information=“Saudi Arabia”
  • target-information=“Sweden”
  • target-information=“United Kingdom”
  • target-information=“United States”
  • threat-actor Orangeworm
  • mitre-attack-pattern=[]

MISP event uuid: 5947a5a4-9c86-45e8-9756-25fa38c54ff3

Indicator of Compromise (IoCs)

type,value,comment
md5, 047f70dbac6cd9a4d07abef606d89fb7, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 2ae53de1a1f65a6d57e96dab26c73cda, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 47345640c135bd00d9f2969fabb4c9fa, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, b680b119643876286030c4f6134dc4e3, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 856683aee9687f6fdf00cfd4dc4c2aef, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 847459c8379250d8be2b2d365be877f5, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 3bedc1c4c1023c141c2f977e846c476e, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, ce3894ee6f3c2c2c828148f7f779aafe, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 177bece20ba6cc644134709a391c4a98, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, b59e4942f7c68c584a35d59e32adce3a, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, 81e61e5f44a6a476983e7a90bdac6a55, 'Dropper No sample in VT\r\nLast check:06/05/2025'
md5, ec968325394f3e6821bf90fda321e09b, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 01cf05a07af57a7aafd0ad225a6fd300, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, d57df638c7befd7897c9013e90b678f0, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 4b91ec8f5d4a008dd1da723748a633b6, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 134846465b8c3f136ace0f2a6f15e534, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 9d2cb9d8e73fd879660d9390ba7de263, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, de9b01a725d4f19da1c1470cf7a948ee, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, bb939a868021db963916cc0118aab8ee, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 3289c9a1b534a19925a14a8f7c39187c, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, 9d3839b39d699336993df1dd4501892b, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, fece72bd41cb0e06e05a847838fbde56, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, bbd9e4204514c66c1babda178c01c213, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
md5, ee4206cf4227661d3e7ec846f0d69a43, 'Payload DLL No sample in VT\r\nLast check:06/05/2025'
ip-dst, 65.116.107.24, 'C2'
url, http://65.116.107.24/login/login.php?q, 'C2'
ip-dst, 13.44.61.126, 'C2'
url, http://13.44.61.126/main/indexmain.php?q, 'C2'
ip-dst, 56.28.111.63, 'C2'
url, http://56.28.111.63/group/group/defaultmain.php?q, 'C2'
ip-dst, 118.71.138.69, 'C2'
url, http://118.71.138.69/new/main/default.php?q, 'C2'
ip-dst, 117.32.65.101, 'C2'
url, http://117.32.65.101/users/login.php?q, 'C2'
ip-dst, 18.25.62.70, 'C2'
url, http://18.25.62.70/groupgroup/default.php?q, 'C2'
ip-dst, 92.137.43.17, 'C2'
url, http://92.137.43.17/group/group/home/login/home.php?q, 'C2'
ip-dst, 33.25.72.21, 'C2'
url, http://33.25.72.21/group/main.asp?q, 'C2'
ip-dst, 16.48.37.37, 'C2'
url, http://16.48.37.37/groupusers/default.php?q, 'C2'
ip-dst, 91.29.51.11, 'C2'
url, http://91.29.51.11/default/main.php?q, 'C2'

Full IOCs available in Rectifyq's MISP```

Graph View