Hangover Threat Group IOC

Short Description:

Hangover threat group (aka Neon, Viceroy Tiger, MONSOON) carrying out targeted cyberattacks deploying BackConfig malware attacks against government and military organizations in South Asia including Bangladesh.

Hangover Group is a cyberespionage group that was first observed in December 2013 carrying on a cyberattack against a telecom corporation in Norway. The Hangover Group’s initial vector of compromise is to carry out spear-phishing campaigns. The group uses local and topical news lures from the South Asia region to make their victims more prone to falling into their social engineering techniques, making them download and execute a weaponized Microsoft Office document. After the user executes the weaponized document, backdoor communication is established between BackConfig and the threat actors, allowing attackers to carry on espionage activity, potentially exfiltrating sensitive data from compromised systems.

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

Indicator typeIndicator
    File Hashes021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b 07c97b253452a2a8eb7753ed8c333efeaa3546c005ffcfb5b3d71dc61c49abda 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf 0f11fb955df07afc1912312f276c7fa3794ab85cd9f03b197c8bdbefb215fe92 15109962da4899949863447bfdf6a6de87a8876f92adb7577392032df44ec892 167c7d7c08d318bc40e552e6e32715a869d2d62ba0305752b9b9bece6b9e337e 18ce3eebbb093a218a8f566b579a5784caee94fadcda8f8c0d21f214ce2bd8b9 29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096 306fe259a250b2f0d939322cfb97787c4076c357fc9eb1f1cc10b0060f27f644 31faeefb4dc4e54b747387bb54a5213118970ccb2f141559f8e2b4dbfdbeb848 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd 4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB 4a4bc01b20dd2aaa2a2434dc677a44cc85d9533bed30bc58b8026b877db028d5 56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6 677d4982d714bb47fab613ebe1921005509ed0d1e8965e7241994e38c3ade9f2 6787242a810f8a5e1423e83790064a0a98954ab0802a90649fdd55a47d75695e 6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f 84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c 87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c 91c67c1cda67b60c82e14a5c32d79a4236f5a82136317162dfbde1a6054cf8c1 922d6e68ecac6dbfdd1985c2fae43e2fc88627df810897e3068d126169977709 952d4a9891a75e25e1c31a0514b97345ca0d8f240cdd4a57c8b3ff8a651a231a 9e141fe67521b75412419a8c88c199c8ebd2a135c7a8b58edced454fbc33cb77 a1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 b18697e999ed5859bfbc03e1d6e900752e1cdcd85ddb71729e2b38161366e5b5 be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461 d3013204f1a151c72879afc213dca3cada8c3ea617156b37771bdd7b7b74057f d87b875b8641c538f90fe68cad4e9bdc89237dba137e934f80996e8731059861 de5b670656cbdbcf11607f01a6f93644765d9647ddab39b54946170b33f7ac9a e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f f79ebf038c7731ea3a19628cb329cada4ebb18f17439d9c6cf19d361b0494e7b
Network Indicatorslinkrequest.live matissues.com 185.203.119.184 212.114.52.148 23.106.123.87 5.135.199.14 hxxp://185.203.119.184/Dropbox/request hxxp://185.203.119.184/One_Drivers/request hxxp://185.203.119.184/fin_div/session hxxp://185.203.119.184/winmgt/winmgt.exe hxxp://212.114.52.148/request/httpsrequest hxxp://alphamike.com.mv/housing hxxp://chancetowin.quezknal.net/appstore/updatepatch/logs.exe hxxp://mgamphs.edu.bd/info/ hxxp://nsaimmigration.com/userfiles/image/fbr.php hxxp://nsaimmigration.com/userfiles/image/nphp_registration_form.php hxxp://webtechhub.com/wordpress/wp-content/images/fbr_circular.php hxxp://www.nsaimmigration.com/userfiles/image/nphp_registration_form.php?r=Y2qyQR5Rk18HlNUpvdpoiV7jtMCQQHADgShCsmQGwgpWFe5FP63RAlvpj_c25-KdTsdKVAqeV5JT_rK9tOfaMA

*Note: All http is replaced with hxxp.

Reference:

https://unit42.paloaltonetworks.com/atoms/hangover/

For more information:

https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

https://attack.mitre.org/groups/G0040/

Share