Pulse Detail — Threat Intelligence

PULSE NAME

Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks

WHITE APT28 AlienVault 2024-08-07 Modified: 2024-09-06

IOCs

HIGH VOLUME

TrendMicro highlights the dangers of internet-facing routers and elaborates on Pawn Storm's exploitation of EdgeRouters, complementing the FBI's advisory from February 27, 2024. Cybercriminals and nation-state actors share an interest in compromised routers used as an anonymization layer, with cybercriminals renting out compromised routers and nation-state threat actors like Pawn Storm and Sandworm using dedicated proxy botnets. The analysis focuses on a criminal botnet of Ubiquiti EdgeRouters, disrupted by the FBI in January 2024, which Pawn Storm accessed in April 2022 for persistent espionage campaigns.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1583 T1592 T1071 T1091 T1190 T1567 T1219 T1090 T1609 T1568 T1598 T1588 T1189 T1556 T1211

MALWARE FAMILIES

SSHDoor Ngioweb

Indicators of Compromise (73)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	142e4198e11d405899619d49cc6dc79c	—	2024-08-07
FileHash-MD5	369d5d0a5c800724a6d77f100fef0e2c	—	2024-08-07
FileHash-MD5	6f56666e4a9d31089b6310ebbdffa6f4	—	2024-08-07
FileHash-MD5	973eee9fae6e3a353286206da7a89904	—	2024-08-07
FileHash-MD5	ae3054b3d932f7605cfd13ed31668efb	—	2024-08-07
FileHash-MD5	cb075ac6e8084aa29cffc2000cbe2576	—	2024-08-07
FileHash-MD5	d5f6794c3b41f1d7f12715ba3315fd7b	—	2024-08-07
FileHash-MD5	e994df2dec28cc74fa9471f02e23b6af	—	2024-08-07
FileHash-MD5	f4c0c90d97f3d774d26268bc8900c887	—	2024-08-07
FileHash-SHA1	14ad09321b977ee738a1df59710ab765053f40ea	—	2024-08-07
FileHash-SHA1	605505b8bf167aad873fc700b02cc5a7389d7fe7	—	2024-08-07
FileHash-SHA1	6c8e356c9fed009678842c93685cabf58b8954ad	—	2024-08-07
FileHash-SHA1	6d1a47ee6554323a11fc5555ba21e02104ec30fa	—	2024-08-07
FileHash-SHA1	6d886c9d1b47bf1c6cce466ffdfb5f14f6bcb57c	—	2024-08-07
FileHash-SHA1	b3b0e5f685bce3e22943ad2fe292cb7aa64d4c50	—	2024-08-07
FileHash-SHA1	bd547812018e59be543d9742b01431eb2e5e2641	—	2024-08-07
FileHash-SHA1	cb4960a3ea40835155a8309bde1b3d5ea8d92e61	—	2024-08-07
FileHash-SHA1	ebb450393809f657f1ab77b4582e0c4758f7b50d	—	2024-08-07
FileHash-SHA256	0891588667da40da58ffaa8fedcddb0a9a172646ec12e6d0b9ce2acc2caa302b	—	2024-08-07
FileHash-SHA256	104e3ea9a190ba039488f5200824fe883b98f6fe01d05a1b55e15ed2199c807a	—	2024-08-07
FileHash-SHA256	17257ce42246b8c47f9ec639a6ffaca2bc14c21a22c4419bf468e3f1d491e330	—	2024-08-07
FileHash-SHA256	2847ae693533406defecb226bfe6d62dd36905ff07add4e773426bde83e85ddc	—	2024-08-07
FileHash-SHA256	28aee94e9a3f6c4296663bb853a5af5817ae109f066c88b7a245316a9a1e4712	—	2024-08-07
FileHash-SHA256	2ae805b68d7408cc40ad058bc0b8b2b5c29d77760084a5230448e47cec1c43f4	—	2024-08-07
FileHash-SHA256	2f182a6cb72712c340c2adb43843cfccb5916d236485de1c62fb40c883570824	—	2024-08-07
FileHash-SHA256	4a932ccc8a45db6897a11de118cdbf67062569112f1caa69793669c5c24be708	—	2024-08-07
FileHash-SHA256	4d35ae9669db428b72b1aaadd21dbed44ad2fc678efc8110d89ff723e0497406	—	2024-08-07
FileHash-SHA256	53d687868fd7ab9e78aa09f696923bd3c057e4e50432d07210080474a8d879cb	—	2024-08-07
FileHash-SHA256	681a00df2e2cc680a4b68bdb6fe7d55c34d6d3fc35d462c78ebb659f9cb2cd60	—	2024-08-07
FileHash-SHA256	844cc1807cc5b628b7aa807ef3b682d051c8ad5427df3d3e36c7e7633bfc5768	—	2024-08-07
FileHash-SHA256	85a4151d790ab32d5321c6e71748b2446032e1775aedd0168be25f76bf4fe93f	—	2024-08-07
FileHash-SHA256	88f2d42bf225c930bc644f82bbd229e170d53dd1072e846e2883265a7ac33301	—	2024-08-07
FileHash-SHA256	944be9bb167a2f76fe2f539d3860bbf26301830c479bc68509af46e047993c8c	—	2024-08-07
FileHash-SHA256	95995686b9af8b56c3fed1dadccf8b2ed5f417bb4eb8947a406a6e943cca33c6	—	2024-08-07
FileHash-SHA256	a4a95807f1c5b200d5d94e3e811a7c4af2d0d9ca88ca4d7f9d02015574f4716f	—	2024-08-07
FileHash-SHA256	ad3fd3eb7a3a276ec0d384afb5b75fe7d9fc047bb0dab40f9d55870d4520c1f3	—	2024-08-07
FileHash-SHA256	bd0ea597f24bb72f8db34b6b6d2c0bc70eb53df9eae40cdb216a13521145ab03	—	2024-08-07
FileHash-SHA256	c290ab5d8ce9fcaa91da3b488c93dee1a4d0581c1335f19cb48027a5a03fe525	—	2024-08-07
FileHash-SHA256	dfc86b375e974b3092bbff41eb24db3281fb4fc104f1043a7afbf95f85a2c1d5	—	2024-08-07
FileHash-SHA256	e3ba85e0bc978013b145ebb4c2d583b33422da93787ab8fb2185b55478652d91	—	2024-08-07
FileHash-SHA256	edefd297285090fe743f5c3b111bce54da40f43a32e15d8fa87b8a2c243f6d47	—	2024-08-07
FileHash-SHA256	ef6fe4140001cb099968acd5772452859adbe7b57496389fbbf2342f9047b962	—	2024-08-07
FileHash-SHA256	f6541b569787aa050c54ad85976ac5b729697a022be188b0040d37aa91e49ae2	—	2024-08-07
FileHash-SHA256	f88d12332d2f58459f989c7c41b5381e8aed9c8c30c1d11373f0d1eb0b340b9a	—	2024-08-07
FileHash-SHA256	fed8c98fc754aff95f8538b5bebce558eb274256b0265d4482a675b74e93cc93	—	2024-08-07
domain	antihicipate.com	—	2024-08-07
domain	decumify.net	—	2024-08-07
domain	emelenalike.com	—	2024-08-07
domain	interocakate.com	—	2024-08-07
domain	macrofocafify.org	—	2024-08-07
domain	minixetepate.biz	—	2024-08-07
domain	promexucate.com	—	2024-08-07
domain	semiridinution-postepudency.com	—	2024-08-07
domain	subonuker.name	—	2024-08-07
domain	ultradomafy.net	—	2024-08-07
domain	underuvukent.com	—	2024-08-07
hostname	changepassword.giize.com	—	2024-08-07
hostname	clientrun.compuinter.com	—	2024-08-07
hostname	dfgtjytdfs.work.gd	—	2024-08-07
hostname	enforcer.mywire.org	—	2024-08-07
hostname	founderside.joseulloa.cl	—	2024-08-07
hostname	gopremium.mooo.com	—	2024-08-07
hostname	kjskrvmwerffssd.kozow.com	—	2024-08-07
hostname	li4858member.possessed.us	—	2024-08-07
hostname	moreover.lostgumball.com	—	2024-08-07
hostname	mumucnc.kozow.com	—	2024-08-07
hostname	packinstall.kozow.com	—	2024-08-07
hostname	puffypuf.gleeze.com	—	2024-08-07
hostname	speddot.seburn.net	—	2024-08-07
hostname	terminal.ooguy.com	—	2024-08-07
hostname	trompadiom.tutotame.bigbox.info	—	2024-08-07
hostname	vrrumover0.vrrum0.farted.net	—	2024-08-07
hostname	xfgjgjkuykykgihguifdt.mywire.org	—	2024-08-07