MVISION Insights: Credential harvesting campaign targeted the EMEA and APAC regions

Technical Articles ID: KB95188
Last Modified: 1/21/2022

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.

Summary

Description of Campaign
Multiple sectors across the EMEA and APAC regions were targeted with a credential harvesting campaign. The unnamed actor focused on the Ministries of Foreign Affairs as well as entities in finance and technology. The initial infection vector is unknown, but suspected to be phishing links distributed to the victims. Over 50 domains were discovered which mimicked the names of the targeted organizations.

The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Cyjax and shared publicly here.

How to use this article:

Scroll down and review the Product Countermeasures section of this article. Consider implementing them if they are not already in place.
Review the following articles:
- KB87843 - Dynamic Application Containment rules and best practices
- KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event

This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.

Campaign IOC

Type	Value
HOSTNAME	mail.mfa.am.webmails.info
HOSTNAME	mail.gov.az.connecting.fail
HOSTNAME	mail.economy.gov.by.connecting.fail
HOSTNAME	rnail.economy.gcv.by
HOSTNAME	rnail.minenergo.gcv.by
HOSTNAME	rnail.minfin.gcv.by
HOSTNAME	mail.mfa.gov.by.connecting.fail
HOSTNAME	mail.mininform.gov.by.connecting.fail
HOSTNAME	rnail.mininform.gcv.by
HOSTNAME	mail.pmrb.gov.by.connecting.fail
HOSTNAME	pmrb.gcv.by
HOSTNAME	rnail.vpk.gcv.by
HOSTNAME	mail.mfa.gov.cn.connecting.fail
HOSTNAME	mail.economy.ge.webmails.info
HOSTNAME	email.mfa.gov.ge.connecting.fail
HOSTNAME	email.mfa.gov.ge.webmails.info
HOSTNAME	scoring.mra.gov.ge.webmails.info
HOSTNAME	mail.mfa.gov.kg.connecting-to-server.info
HOSTNAME	mail.mfa.gov.kg.webmails.info
HOSTNAME	e.mail.ru.inbox.webmails.info
HOSTNAME	account.mail.ru.webmails.info
HOSTNAME	cloud.mail.ru.webmails.info
HOSTNAME	mail.paknavy.gov.pk.connecting.fail
HOSTNAME	webmail.ras.ru.connecting.fail
HOSTNAME	mail.atam.gov.tr.connecting-to-server.fail
HOSTNAME	mail.eshot.gov.tr.connecting-to-server.fail
HOSTNAME	mail.koski.gov.tr.connecting-to-server.fail
HOSTNAME	mail.marsu.gov.tr.connecting-to-server.fail
HOSTNAME	mail.yek.gov.tr.connecting-to-server.fail
HOSTNAME	webmail.adalet.gov.tr.connecting.fail
HOSTNAME	mail.kudaka.gov.tr.connecting-to-server.fail
HOSTNAME	mail.turasas.gov.tr.connecting-to-server.fail
HOSTNAME	wm.online.tm.connecting.fail
HOSTNAME	wm.online.tm.connecting-to-server.fail
HOSTNAME	e-court.mail.gov.ua.connecting.fail
HOSTNAME	mail.gur.gov.ua.connecting.fail
HOSTNAME	mail16.mfa.gov.ua.connecting.fail
HOSTNAME	mail.moz.gov.ua.connecting-to-server.fail
HOSTNAME	mail.nads.gov.ua.connecting-to-server.fail
HOSTNAME	mail.nsj.gov.ua.connecting-to-server.fail
HOSTNAME	mail.argos.uz.connecting-to-server.info
HOSTNAME	adm.gov.uz.connecting.fail
HOSTNAME	adm.gov.uz.connecting-to-server.fail
HOSTNAME	icwc-aral.uz.connecting.fail
HOSTNAME	mail.agro.uz.webmails.info
HOSTNAME	post.minenergy.uz.connecting.fail
HOSTNAME	mail.mfa.uz.connecting-to-server.info
HOSTNAME	post.mfa.uz.connecting.fail
HOSTNAME	mail.mfa.uz.webmails.info
HOSTNAME	mail.mininnovation.uz.connecting.fail
HOSTNAME	mail.mift.uz.connecting.fail
HOSTNAME	mail.mift.uz.webmails.info
HOSTNAME	mail.mintrans.uz.connecting.fail

Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection:

Rule ID: 5 Use GTI URL reputation to identify trusted or malicious processes

Affected Products

MVISION Insights

Knowledge Center

MVISION Insights: Credential harvesting campaign targeted the EMEA and APAC regions

Environment

Summary

Affected Products

Title

Title

Knowledge Center

MVISION Insights: Credential harvesting campaign targeted the EMEA and APAC regions

Environment

Summary

Affected Products

Choose your region

Title

Title