Virus Total shows lack of detections for Meterpreter indicating a possible unique fingerprint. Additionally, the most recent domain draws interest. The IP address is running a small number of services on ports: 22, 80 and 8080.
@GroupIB_TI released a great report detailing MuddyWater’s use of SimpleHelp Remote Support Software. They tracked the #APT's infrastructure using Etags.
Let's take a look! 🧐 👇👇 2/ First Etag(153): 🔟results.
First IP of interest: 👉164.132.237[.]67
If we now pivot on the SSH hash, we match on another IP:
👉3.6.222[.]144.
Looking at this IP, the SSL certificate presented mentions O=Teradici Corporation...