Archive for February, 2019

Rewterz Threat Alert – Flawed Ammyy RAT (aka FlawedAmmyy RAT) Malware

Severity

Medium

Analysis Summary

During execution, the following commands are executed.

  • cmd.exe /C net user /domain > “%ALLUSERSPROFILE%\TMPUSER.DAT” The malware will jump directly to the deletion stage if “WORKGROUP” or “workgroup” is found in TMPUSER.DAT.
  • cmd.exe /C net.exe stop foundation
  • cmd.exe /C sc delete foundation
  • cmd.exe /c del C:\Windows\Installer\MSI[0-9A-F]{4}.tmp >> NUL

Indicators of Compromise

IP(s) / Hostname(s)

169.239.128[.]15

URLs

  • hxxp://195.123.209[.]169/dat1.omg
  • hxxp://213.183.63[.]242/fact1.omg

Filename

  • fact1.omg
  • QziRxdxCaP.exe

Email Address

  • michael[@]alliancegrp[.]net
  • amalefa[@]cablenet.com[.]ar
  • irum[@]nasco-av[.]com
  • a.buffardi[@]be-tse[.]it
  • michal.bien[@]danex.krakow[.]pl
  • fajar.apriandi[@]advancemedicorp[.]com
  • gregibbs[@]hbci[.]com
  • ecopri[@]mail.wbs.ne[.]jp

Email Subject

Sending paper signs

Malware Hash (MD5/SHA1/SH256)

  • c51fec2aa2415b6ec4da1ca6c56558a8
  • 185a273e908d81ddb862855559113cf2546af107
  • 78ae8616b8bb503cf0e5bbbb7b84b60eac8dd1d30726c2f74bd116e9ad19560c
  • d490573977cc6b42ba0b4325df953a7f
  • dacf34580c09f7b1e4b8ba02f3ab8b6be08d03ab
  • 6a7eb9a166510e72912e6b90a80f77b914a76aa9e2507d0e5472bcba036fc368
  • c4463d6ae741d4fb789bd0895fafebee
  • c8866ca1012dfabf5ad131cfeea0036dacb433e6
  • 84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6
  • 2944eca03bc13b0edf064a619ec41459
  • 83d215861c562315bca60994a901e06fc7cfa1a7
  • 014d47cc2ee73efb3ec06a72d886888fcc2489ce8e8323f57ee03295439e6f34
  • 8a9672b0f308e297db9b1000854fd13c
  • df4d358287ecb6b0555627dc4574299e67e7d4d9
  • d1d9657b4230b63ff7b5f94ecd21660c3edf314fcf23b745226fae806d456cb8
  • 9ca31cf03258d8f02ab4cd8fccbf284b
  • e1fb096873ac5ca990dda56d381f676178159885
  • af1d155a0b36c14626b2bf9394c1b460d198c9dd96eb57fac06d38e36b805460

Remediation

  • It is recommended to block the threat indicators at their respective controls.
  • Employees must not open spam emails that do not look relevant.
  • Never download files received in emails from unknown sources.
  • Never click on links attached in unexpected emails.

Rewterz Threat Advisory – Denial of Service flaw in Windows Servers running IIS

Severity

High

Analysis Summary

Windows servers running Internet Information Services (IIS) are vulnerable to denial-of-service (DoS) attacks carried out through malicious HTTP/2 requests. Attackers can trigger a DoS condition by sending specially crafted HTTP/2 requests, due to which the CPU usage will temporarily spike to 100%.

Impact

Denial of service.

Affected Products

  • Microsoft Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server version 1709 (Server Core Installation)
  • Microsoft Windows 10 Version 1607 for 32-bit Systems
  • Microsoft Windows 10 Version 1607 for x64-based Systems
  • Microsoft Windows 10 version 1703 for 32-bit Systems
  • Microsoft Windows 10 version 1703 for x64-based Systems
  • Microsoft Windows 10 version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for 64-based Systems
  • Microsoft Windows 10 Version 1709 for ARM64-based Systems
  • Microsoft Windows 10 Version 1803 for 32-bit Systems
  • Microsoft Windows 10 Version 1803 for ARM64-based Systems
  • Microsoft Windows 10 Version 1803 for x64-based Systems
  • Windows Server Version 1803 (Server Core Installation)

Remediation

Define limits on the number of HTTP/2 settings parameters allowed over a connection. These limits are not preset by vendor and must be defined by system administrator after reviewing the HTTP/2 protocol and their environment requirements.


Rewterz Threat Advisory – CVE-2019-7815 – Adobe Reader / Acrobat Information Disclosure Vulnerability

Severity

Medium

Analysis Summary

The fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 has been bypassed, leading to CVE-2019-7815. Successful exploitation could lead to sensitive information disclosure in the context of the current user.

Impact

Exposure of sensitive information.

Affected Products

  • Acrobat DC versions 2019.010.20091 and prior running on Windows and macOS
  • Acrobat Reader DC versions 2019.010.20091 and prior running on Windows and macOS
  • Acrobat 2017 versions 2017.011.30120 and prior running on Windows
  • Acrobat Reader DC 2017 versions 2017.011.30120 and prior running on Windows
  • Acrobat DC (Classic 2015) versions 2015.006.30475 and prior running on Windows
  • Acrobat Reader DC (Classic 2015) versions 2015.006.30475 and prior running on Windows

Remediation

Acrobat DC / Acrobat Reader DC 2019 running on Windows and macOS: Update to version 2019.010.20098.

Acrobat 2017 / Acrobat Reader DC 2017 running on Windows:

Update to version 2017.011.30127.

Acrobat DC / Acrobat Reader DC (Classic 2015) running on Windows:

Update to version 2015.006.30482.


Rewterz Threat Advisory – CVE-2016-8618 – F5 Multiple BIG-IP Products libcurl Vulnerability

Severity

Medium

Analysis Summary

A vulnerability in multiple F5 BIG-IP products can be exploited by malicious people to compromise a vulnerable system.

The libcurl API function called curl_maprintf() before version 7.51.0 can be tricked into doing a double-free due to an unsafe size_t multiplication, on systems using 32 bit size_t variables.

A custom monitor or script that calls the curl command may allow unauthorized disclosure of information, unauthorized modification, and disruption of service. The big3d process, which includes the libcurl library, may allow unauthorized disclosure of information, unauthorized modification, and disruption of service.

Impact


System Access
Information Disclosure

Affected Products

  • BIG-IP LTM versions 13.0.0 through 13.0.1
  • 12.0.0 through 12.1.4
  • 11.4.0 through 11.6.3
  • and 11.2.1
  • BIG-IP AAM versions 12.0.0 through 12.1.4 and 11.4.0 through 11.6.3
  • BIG-IP AFM versions 13.0.0 through 13.0.1 and 11.4.0 through 11.6.3
  • BIG-IP Analytics versions 12.0.0 through 12.1.4
  • BIG-IP APM versions 13.0.0 through 13.0.1
  • BIG-IP ASM versions 13.0.0 through 13.0.1
  • BIG-IP DNS versions 12.0.0 through 12.1.4
  • BIG-IP Edge Gateway version 11.2.1
  • BIG-IP GTM versions 11.4.0 through 11.6.3 and 11.2.1
  • BIG-IP Link Controller versions 12.0.0 through 12.1.4
  • BIG-IP PEM versions 12.0.0 through 12.1.4 and 11.4.0 through 11.6.3
  • BIG-IP PSM versions 11.4.0 through 11.4.1
  • BIG-IP WebAccelerator version 11.2.1
  • BIG-IP WebSafe versions 12.0.0 through 12.1.4 and 11.6.0 through 11.6.3

Remediation


Update or upgrade to a fixed version if available.
BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PEM, and WebSafe: Update or upgrade to version 13.1.0.


Rewterz Threat Alert – Oceansalt APT Group targets Finance, Education, Telecommunications and Agricultural sectors

Severity

Medium

Analysis Summary


The Oceansalt APT Group seems to have links with the Chinese hacking group Comment Crew (aka APT1).

The target sectors of this group include Finance, universities, telecommunications and agriculture. The threat actors behind Oceansalt implant a malware on the intended target’s system. However, their motives aren’t clear yet.

Impact

Financial loss

Damage to Reputation

Potential legal consequences

Indicators of Compromise


IP(s) / Hostname(s)

  • 116.127.123[.]55
  • 183.111.174[.]42
  • 158.69.131[.]78
  • 172.81.132[.]62
  • 211.104.160[.]196
  • 27.102.112[.]179

URLs

  • hxxp://158[.]69[.]131[.]78/
  • hxxp://172[.]81[.]132[.]62/
  • hxxp://korff[.]or[.]kr/admin/data/member/1/log[.]php
  • hxxp://eduasia[.]kr/gbbs/bbs/admin/log[.]php
  • korff[.]or[.]kr
  • eduasia[.]kr

Malware Hash (MD5/SHA1/SH256)

  • 4efd425eb9841e2ed19e0933735be736f099dbd2c7ab791241217f4b8937ce9d
  • aa583da0b11fe94278de2c097e6a9d1f922d6fe3c8d79054d146442f1a830c01
  • b82697de1702d4c1297cc1a436280a0295fe3c6c48f6f08457e6f3f89783be9e
  • 8458592ad6f6c2b18f6d31be59a6a8a8538dea33bfe10178bacc33fa0e971f3a
  • d1bfc02db9922f89da0cef14b514b63af3703f1ab7bd88d558431151bfac92e2
  • db96ead07e4942ad4b5cd1122dbde7dacabc2087da1e0f44294018f9266b6d24
  • 7e86d38ea795030774aa864e025fc88b8f58578ae72ec245353ade1489292763
  • 6c1373b3fc292b90062401c56359c09aa7b779d0ec1f8f4ab93130718b3891f9
  • 12e1b00af73101cb297387b6ee5035c4cae04211d995ddd233fb375deb492b0a
  • 85c4a06ec817559a91028bc2441d8a341f9e408130c505d310a02bd31ca1ebb3
  • 12a6d940382d9288e3585c80f0a66da7904e45dafc8e95d4e908f5b7518bb560
  • f3b7d1704765507956752fa985d5d7eda2ec3e88417c9a94918720f36da050f8
  • 7451ebf8ab3da9d8138f97b73fea9d591c3cb43d5e689901a5edc7020e6ccb04
  • 1582eda79d7febbfbd708adbdc90e26cde94a1eae765d86a70977d765252e481
  • c202c578cc5e12c0d0ebe821f0192581a5c5a9a43f2b93de4ca77f5501c6fcc5
  • ca8c537226104639d93e90e1d734265d56bc7ce5be94b078c5cc07ca3e1ac2f7
  • e5e67ea991c75b9dccad7fc2f6551012c764a47850ffce59c2cd7406976ff269
  • 2c6c9bf61eb9d831322779239b4674ea3aa0f86928038ebd7fbea9aeae38007e
  • 099ee51e778991a5e689ab5d7ab650d3e709155602d9b1b74d59690db9e92a21
  • e24d86cf5eda21dbbb16ba9ea7e222c5f4d3f0276fb33dda07e406a768f3b6e8
  • b7c221acd87642b2cc44854f0d1f0daf12ac25a1065a577f51bb7623e4be8650
  • 0106b3eb8cd100ec7b900f811d526226909840be710aa088f10b313ab7135cf1
  • 46c398efb64147fae37c326512c807837daf6933b45da23c0099bead0b4d5fcd
  • aa9849b4e9dc589b0202793e78bd8fed646bc9ecd459d5040baa1c94c86a2d0b
  • 6822ac1524875653e9923be937ba4e7d36135df8a7a1b835dc05a87cfa5320ff
  • 554d020707eda87217e56b605f0cf5307ff2de49d515bf26aea6d81986572b84
  • 4a9c546ecd2c0cf185e68983852fa233c3efeb78a8d1e22cd43b75912ca96acf
  • 085fda5211d4e135f50ecbeb7f24771b6005f436e8d9a573967383d4e804d9bc
  • 024f920fc27aa37b6d7eb0c5dd852eb8d3cf0bd1e9b16674bcc58471f74a283a
  • a5ae58b2e04c6928a9eae21916d6ff2ed1e99280ec83385a1cd98d85ec35fb90
  • 43c9928d88ab67f96baff78295ab2b0b0b623c3430c367c38e9a8e1d3523f73d
  • facb59735b3c876b0dc37b4b03ebb2e6bd85fd40d381abc5ab7ac6a4fc436d6a

Remediation

  • Block the threat indicators at their respective controls.
  • WHITELIST applications – application whitelisting to block the execution of un-certified binaries.
  • BLOCK executables – prevent binaries from executing from temporary folders under the user home directory.
  • BLOCK Macros – where possible, restrict or block Macros from executing or implement internal policies on external documents that include macros.
  • ENHANCE Secure Web Gateways – look to features in SWG to monitor for binaries that are masked as web/HTTP artifacts (I.e. PHP files)
  • GEO-FENCE connections – disallow outbound network connections to non-business functional regions.
  • SANATIZE emails – scrutinize attachments and web site hyperlinks contained in e-mails
  • PATCH vulnerabilities – prioritizing timely patching of Internet-connected systems for known vulnerabilities and software processing Internet data especially on Microsoft Office suite
  • REFRESH SIEM Use Case – Look to use cases that involve VBA scripts


Rewterz Threat Alert – Multiple Phishing Campaigns – IoCs

Severity: High

Analysis Summary

Multiple Phishing campaigns have been observed targeting multiple organizations, to deliver AZORult Malware, Trickbot banking Trojan and Emotet Malware.

While Trickbot and Emotet are previously known, the AZORult is an information stealer that can harvest credentials from several software applications, enumerate & grab files from Desktop, capture saved data from browsers (e.g. cookies, passwords, saved credit card information), steal Skype information, and steal cryptocurrency wallet information.

Collective threat indicators are given below. Many of these threat indicators were not detected by any of the Virus Total engines as malicious.

Impact

  • Credential Theft
  • Data Manipulation
  • Information Disclosure
  • Malware Infection

Indicators of Compromise
IP(s) / Hostname(s)

79[.]104[.]212[.]85

104.211.157[.]67

47.254.177[.]121

URLs

  • hxxp://pgusa[.]ru/js/
  • hxxps://www.dropbox[.]com/s/yk7m01jp5xq67bz/confirm_invoice.zip?dl=1
  • googlex.alibobomoneyman[.]xyz
  • voicewaves[.]com/abnow/usa/myway/index2.php.
  • voicewaves[.]com/abnow/
  • voicewaves[.]com/verifyab/
  • voicemail-listen[.]com
  • voicewaves[.]com/verifyab/mthemes/approval/phpcaptcha1a/demo.php?mail= ata-modenna[.]com
  • hxxp://ata-modenna[.]com/dubai/index.php
  • hxxp://ata-modenna[.]com/dubai/panel/admin.php
  • hxxp://ata-modenna[.]com/gerad/index.php
  • hxxp://ata-modenna[.]com/morise/index.php
  • hxxp://ata-modenna[.]com/gerad/panel/admin.php
  • hxxp://ata-modenna[.]com/morise/panel/admin.php
  • hxxps://www[.]icann[.]org/epp#clientTransferProhibited

Filename

  • NEW ORDER.IMG
  • NEW ORDER.exe

Email Address

  • linda[@]alliedmortgage[.]com
  • ap[@]voicemail-listen[.]com
  • elisa.nunes[@]konecranes[.]com

Email Subject

  • Lynda Sivils Transaction for eInvoice
  • AT&T payment update
  • RE: Revised Order No. 2019 – 1562.IMG
  • Quick Submission: Microsoft/Google
  • FW: Confirm account status

Malware Hash (MD5/SHA1/SH256)

  • cfd7c140e37c9a6ff608205f087b8325
  • 37210ce95cd3faa0a757d67f06d8e4af
  • e915921cde02710eb33692c22770a908
  • 13a18c622e98aad0ae73f611abca035c
  • e915921cde02710eb33692c22770a908
  • 00b651e5bde9e813d96272c5dd8c74057b2240b0
  • ef41281c3fee12a9bc24c84fa2d59ff9b13bcb3ba4866240b3111f96830ac223
  • 13a18c622e98aad0ae73f611abca035c
  • 9bec01e4e097f33a2ce76c23313cba2ccae719ca
  • 0f0250aacc18657b66da72f6e2b5bdf01087cc7775d69492d8db86ce5c172d00

Remediation

  • These MalSpam campaigns are not only prevalent but are also increasing in frequency day by day.
  • It is recommended to block the threat indicators at their respective controls.
  • Employees must not open spam emails that do not look relevant.
  • Never download files received in emails from unknown sources.
  • Never click on links attached in unexpected emails. Never ‘enable macros’ or enable content, if a file fails to open online.


Copyright © Rewterz. All rights reserved.