Indian Companies are under Targeted Attack

Security Researchers Identified “Stormous ransomware campaigns” targeting multiple organization, especially Indian organization for financial motivation

This group especially connect with attackers through Telegram Channel and Onion websites. Recently they have conducted a POLL which can be their next Target. Shocking to know most of them voted for Indian Organizations

Attack focuses on :

Gaining Full Control on the environment
Exfiltrate the PII & PCI Data from the organization
Demolish and Release their Intellectual Property Data
Reveal the Financial of the organization under Dark Web
Focus on the Financial targets / servers and take it down

11-APR-2022 attack shifted to Indian Organization’s by the group, below is the list of Victim’s who were already under attack as claimed by the Attackers

Also, the target list brings more uncertainties because of the huge list of Indian companies mentioned. If you are one among them ensure go to IOC’s and block all maliciousness immediately and enrich your threat intelligence capabilities to detect all adversaries impact to understand your security posture of the organization

List of Indian Companies in Target List :

http://jwfhr(.)com/indexSTM(.)html
http://rsmps(.)in/indexSTM(.)html
http://helpme(.)net(.)in/indexSTM(.)html
http://universalkids(.)co(.)in/indexSTM(.)html
http://allahabadnidhi(.)in/indexSTM(.)html
http://sgpsdelhi(.)com/indexSTM(.)html
http://daskumars(.)com/indexSTM(.)html
http://indiacounty(.)com/indexSTM(.)html
http://acms(.)manokamnaa(.)in/indexSTM(.)html
http://vnpsnanakpura(.)in/indexSTM(.)html
http://mapleapple(.)in/indexSTM(.)html
http://sigssitamarhi(.)com/indexSTM(.)htmL
http://svmfoundation(.)in/indexSTM(.)html
http://gvips(.)co(.)in/indexSTM(.)html
http://bbsitm(.)in/indexSTM(.)html
http://macnnareladelhi(.)com/indexSTM(.)html
http://besthost(.)co(.)in/indexSTM(.)html
http://prgmotors(.)com/indexSTM(.)html
http://krystalpay(.)com/indexSTM(.)html
http://umakantjha(.)com/indexSTM(.)html
http://avikalpa(.)in/indexSTM(.)html
http://rebssports(.)com/indexSTM(.)html
http://punchassociates(.)in/indexSTM(.)html

How Victims are Selected?

This is interestingly shocking that they conduct an Open POLL who can be their next target, recent poll resulted to attack “First Floppy ” and they already claim that they have the Source Code & Data of the organization

Indian Entities Targeted by Stormous Group

Indicators of Compromise

MD5

dd3f51f042c2a6aedc02866e96c08f04

9b63bfe7993f4b65c868b05d7f536506

a6702587d940588f3fddc6d3143a1781

d9114965fe3c2b3b15f7c0872dd4cdd0

72cfd996957bde06a02b0adb2d66d8aa9c25bf37

9c622b39521183dd71ed2a174031ca159beb6479

b3098f99db1f80e27aec0c9a5a625aedaab5899a

7FBB5A2E46FACD3EE0C945F324414210C2199FFB

DEF0A554F19134A5DB3D2AE949F9500CE3DD2CE

14BEEB0FC5C8C887D0435009730B6370BF94BC93

55318328511961EC339DFDDCA0443068DCCE9CD2

E338A57C35A4732BBB5F738E2387C1671A002BCB

9589cebb076a8eb0a984c5f53c1bb729

58db3daacef0eb37bd486fa23dbd67ac

e8b55d9aeff124df4008b0d372bf2f2d3e5e5ae7

a90921c182cb90807102ef402719ee8060910345

78d28072fdabf0b5aac5e8f337dc768d07b63e1e

DAE7FAA1725DB8192AD711D759B13F8195A18821

3814eec8c45fc4313a9c7f65ce882a7899cf0405

B49FAD3E5E6787E96373AC37ED58083F7572D72A

5A452E7248A8D3745EF53CF2B1F3D7D8479546B9

IPV4

66[.]96[.]141[.]50
178[.]62[.]193[.]125
69[.]172[.]201[.]208
69[.]195[.]129[.]72
193[.]143[.]0[.]0/44
98[.]136[.]48[.]105 (No malicious records)
98[.]136[.]48[.]113 (No malicious records)
98[.]136[.]48[.]115 (No malicious records)
98[.]136[.]48[.]81 (No malicious records)
98[.]136[.]48[.]102 (No malicious records)
98[.]136[.]48[.]77 (No malicious records)

Domains

hxxp://200[.]106[.]145[.]122

hxxp://70[.]85[.]221[.]20

hxxp://200[.]74[.]244[.]118

hxxp://70[.]85[.]221[.]10

Recommendations:

High time for Indian companies to ensure they are not becoming victim for any targeted attack, Experts also requested to cross verify your basics are met and enrich the security immediately