The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and the NCAT command-line networking utility.
The malicious software is written in C/C++, replicates by infecting new removable drives, and creates a reverse shell to the actor's command and control server.
Registry Run keys are used for persistence while multiple legitimate binaries are leveraged for DLL Side-Loading.
SkyWatchSM Alert Legend
Glesec Information Sharing Protocol
GLESEC CYBER SECURITY INCIDENT REPORTS are in compliance with the U.S. Department of Homeland Security (DHS) Traffic-Light Protocol (TLP).
Disclosure is Not Limited.
Limited Disclosure, Restricted Only to the Community.
Limited Disclosure, restricted to the Participant's Organization.
Not for Disclosure, Restricted/ Classified - Only Shared with US DHS.