Sophos MDR hunt tracks Mimic ransomware campaign against organizations in India

    Wednesday, August 14, 2024 In: Threat Research Print

    Date: 08/14/2024

    Severity: Critical

    Summary

    Sophos MDR detected activity linked to this campaign in late March 2024, responding to an organization’s compromised SQL Server and the attacker’s lateral movement attempts, including deploying a web shell. Further investigation revealed multiple compromises with similar tactics and techniques, leading to the creation of a security threat activity cluster named STAC6451. This cluster is noted for exploiting SQL databases and using the Bulk Copy Program (bcp) to introduce tools like RMM software and Mimic ransomware-related files into target environments.

    Indicators of Compromise (IOC) List

    Domains\Urls

    windowstimes.online

    times.windowstimes.online

    https://jobquest.ph

    jobquest.ph

    IP Address 

    91.203.134.122

    194.26.135.76

    80.66.76.30

    Hash

    549a883cb3d923eb0b45248d6f46bd2859a3265f203e6019f3e4b9df6c9f9813

81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72

0964ec866b24eea67c8e7b11060acbf9455e182d0ff97987114c291d29e54f73

73de5c6390f26133f20208367c4398798fd4dc1e9986bdfb7fea9288f4f53efa

04ba9dd2d3127511af52e1be3015e0424491cfb2133f90f8b5b5cac2e33166d4

89672638152c13d10ae8afa03df7798081d025939bcfae354e8540cdda2cf16a

ae7031dfae21616d7eec326c16ebac7f9d911a354ba32dd4b4c458fe50351805

4e5ec0db67045bdc008e949214bea81a5d1e4c1e0de211159f0e9d7d33ecbf7a

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    userdomainname like "windowstimes.online" or url like "windowstimes.online" or userdomainname like "times.windowstimes.online" or url like "times.windowstimes.online" or userdomainname like "https://jobquest.ph" or url like "https://jobquest.ph" or userdomainname like "jobquest.ph" or url like "jobquest.ph"

    IP Address

    dstipaddress IN ("91.203.134.122","194.26.135.76","80.66.76.30") or ipaddress IN ("91.203.134.122","194.26.135.76","80.66.76.30") or publicipaddress IN ("91.203.134.122","194.26.135.76","80.66.76.30") or srcipaddress IN ("91.203.134.122","194.26.135.76","80.66.76.30")

    Hash Query 1

    sha256hash IN ("549a883cb3d923eb0b45248d6f46bd2859a3265f203e6019f3e4b9df6c9f9813","81423f5454208e958aa183c2850809620676485c63aab07d91a6f85c1d9b4e72","0964ec866b24eea67c8e7b11060acbf9455e182d0ff97987114c291d29e54f73","73de5c6390f26133f20208367c4398798fd4dc1e9986bdfb7fea9288f4f53efa","04ba9dd2d3127511af52e1be3015e0424491cfb2133f90f8b5b5cac2e33166d4","89672638152c13d10ae8afa03df7798081d025939bcfae354e8540cdda2cf16a","ae7031dfae21616d7eec326c16ebac7f9d911a354ba32dd4b4c458fe50351805","4e5ec0db67045bdc008e949214bea81a5d1e4c1e0de211159f0e9d7d33ecbf7a")

    Reference:

    https://news.sophos.com/en-us/2024/08/07/sophos-mdr-hunt-tracks-mimic-ransomware-campaign-against-organizations-in-india/ 

     

     


    Tags

    MalwareRansomwareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.