Archive for April, 2019

Rewterz Threat Alert – Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers

Severity

Medium

Analysis Summary


A new technical support scam (TSS) campaign surfaced using iframe in combination with basic pop-up authentication to freeze a user’s browser. This new technique also serves as a tool for evading detection for the threat actors. Just like other TSS campaigns disguising themselves as legitimate or well-known brand’s service providers, this campaign in particular uses Microsoft to lure victims and to establish a fake legitimacy. Following is a preview of the pop-up authentication on a spoofed Microsoft webpage.

image-1556623431.jpg

Indicators of Compromise

URLs

  • hxxp[:]//140[.]82[.]36[.]155/assests/eng_edge_new[.]html
  • hxxp[:]//140[.]82[.]38[.]211/assests/eng_edge_new[.]html
  • hxxp[:]//140[.]82[.]42[.]6/assests/eng_edge_new[.]html
  • hxxp[:]//140[.]82[.]46[.]46/assests/eng_edge_new[.]html
  • hxxp[:]//140[.]82[.]9[.]45/assests/eng_edge_new[.]html
  • hxxp[:]//149[.]28[.]36[.]182/assests/eng_edge_new[.]html
  • hxxp[:]//149[.]28[.]45[.]200/assests/eng_edge_new[.]html
  • hxxp[:]//149[.]28[.]56[.]4/assests/eng_edge_new[.]html
  • hxxp[:]//18[.]206[.]159[.]176/assests/eng_edge_new[.]html
  • hxxp[:]//199[.]247[.]3[.]159/assests/eng_edge_new[.]html
  • hxxp[:]//207[.]246[.]127[.]175/assests/eng_edge_new[.]html
  • hxxp[:]//216[.]155[.]135[.]180/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]32[.]156[.]135/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]32[.]205[.]54/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]76[.]166[.]173/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]76[.]166[.]231/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]76[.]2[.]215/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]76[.]4[.]128/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]76[.]6[.]92/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]109[.]221/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]149[.]225/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]154[.]214/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]218[.]239/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]64[.]207/assests/eng_edge_new[.]html
  • hxxp[:]//45[.]77[.]67[.]129/assests/eng_edge_new[.]html
  • hxxp[:]//80[.]240[.]16[.]81/assests/eng_edge_new[.]html
  • hxxp[:]//80[.]240[.]19[.]216/assests/eng_edge_new[.]html
  • hxxp[:]//95[.]179[.]167[.]173/assests/eng_edge_new[.]html
  • hxxp[:]//95[.]179[.]168[.]138/assests/eng_edge_new[.]html

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to pop-ups that raise panic and alarm. Instead, contact a legitimate source to confirm the security status of your computer.
  • Always check for errors or spelling mistakes in the URLs to ensure its legitimacy.

Rewterz Threat Alert – Buhtrap backdoor and ransomware distributed via major advertising platform

Severity

Medium

Analysis Summary

Recently, some threat actors distributed their malware by abusing Yandex.Direct and hosted it on GitHub. The group used two well-known backdoors — Buhtrap and RTM — as well as ransomware and cryptocurrency stealers. Malicious ads were posted through Yandex.Direct, aimed at redirecting a potential target to a website offering malicious downloads disguised as document templates.

The user must run the executable in order for it to work. Moreover, the cryptocurrency addresses associated with the ransom payment of this campaign are encrypted using RC4.

Impact

  • File encryption
  • Cryptocurrency mining

Indicators of Compromise

IP(s) / Hostname(s)

  • stat-counter-7-1[.]bit
  • stat-counter-7-2[.]bit

URLs

  • blanki-shabloni24[.]ru 
  • clipbanker[.]hm 
  • ktosdelaetskrintotpidor[.]com 
  • medialeaks[.]icu 
  • sositehuypidarasi[.]com 
  • icq[.]chatovod[.]info 
  • spy[.]banker[.]kw
  • spy[.]buhtrap[.]ae
  • spy[.]buhtrap[.]ag
  • womens-history[.]me

Filename

  • nike.exe
  • sbornik_dokumentov.exe
  • master_blankov_300.exe
  • mir_vseh_blankov_24.exe
  • blanki.exe
  • master-blankov24.exe
  • vseblanki24.exe
  • masterblankov24.exe
  • btctradebot.exe
  • hashfish.exe
  • hashfish.apk

Malware Hash (MD5/SHA1/SH256)

  • d53d1452f383725f3386868839d1b7b2
  • 4112520ab7344076b2fe93a43fcde5ad
  • 9554fc65845324f783ffa2911c8b2cd9
  • c87afebec0fd296ccbaf60b5a8403719
  • 33cc2f1943e834dff6650e0e1ab70e87
  • d06d957763ccc49a7fb1a65d6430ead0
  • 3e521df314e3295cd8b8ff7ca19153a3
  • 1269e8bdb4fc853e8670b710415658cb
  • 55233473ba6fa3fdfdac096d5c0e0bbf
  • 37960e9e34832c5ff314c30ab64c6d7a
  • cd16693695c59427b08e6597019b85f3
  • c01f3f066eae4b255f29739707f27175
  • 09647962c6335e2f81ae97fe2e28c15c
  • 23a73657fe1e95a2c08e1b30a8cf6c48
  • 77487c27f5476f7bcb092106f4845b4f
  • d336e579505f40c72902a7df9aa04138
  • 3a1230a7d7a0d7dafafb443d0cb751d4

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files from untrusted sources.
  • Do not click on URLs attached in unexpected/untrusted emails.

Rewterz Threat Advisory – Oracle WebLogic Zero-day Vulnerability

Severity

Medium

Analysis Summary


Oracle WebLogic application contains a critical deserialization remote code execution vulnerability that affects all versions of the software, which can be triggered if the “wls9_async_response.war” and “wls-wsat.war” components are enabled.

The vulnerability allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.

Impact

Remote code execution

Affected Vendors

Oracle

Affected Products

  • WebLogic 10.X
  • WebLogic 12.1.3

Remediation

Vendor has not released any patch for the following product as of yet.

Temporary Solution for the following unpatched vulnerability is recommended.

  • Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service
  • Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Rewterz Threat Alert – DNSpionage Threat Actors Resurface With “Karkoff” Malware

Severity

Medium

Analysis Summary


The DNSpionage malware campaign has resurfaced with a new sophisticated operation that infects selected victims with a new variant of the DNSpionage malware.

The DNSpionage attacks use compromised sites and craft malicious documents to infect victims’ computers with DNSpionage—a custom remote administrative tool that uses HTTP and DNS communication to communicate with the attacker-controlled command and control server.

With the release of Karkoff, the threat actors are more focused on evading detection and are primarily focused on targeting victims in the Middle East region.

Indicators of Compromise

URLs

  • coldfart[.]com
  • rimrun[.]com
  • kuternull[.]com

Malware Hash (MD5/SHA1/SH256)

  • 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c
  • 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11
  • b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04
  • cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5
  • e398dac59f604d42362ffe8a2947d4351a652516ebfb25ddf0838dd2c8523be8

Remediation

Block the threat indicators at their respective controls.


Rewterz Threat Alert – Standard Chartered Themed Phishing Email

Severity

Medium

Analysis Summary

A phishing email was reported which falsely appears to be coming from Standard Chartered bank, having a malicious DOC file as attachment. The sender’s email address is spoofed and the email subject is “Advice from Standard Chartered Bank”. Indicators of Compromise are given below.

Indicators of Compromise

IP(s) / Hostname(s)

  • 23.106.215[.]82
  • 185.94.98[.]201
  • 45.67.14[.]61

URLs

hxxp[:]//45.67.14[.]61/H/262614

Filename

26261.DOC

Email Address

AdvicesIN[@]sc[.]com

Email Subject

Advice from Standard Chartered Bank

Malware Hash (MD5/SHA1/SH256)

  • 8a97f60ce666d5e4edd0b27ad796b5f2
  • dac0195dd0e26ea7ab8b4b2eb70582519c4151c8
  • 0df4bf73c687e29bdb8b45af44a414f37f239164ad340d19a593a28f0b5c0222

Remediation

Consider blocking access to the threat indicators at their respective controls.


Rewterz Threat Advisory – Google Chrome Multiple Vulnerabilities

Severity

High

Analysis Summary


A number of vulnerabilities are reported in Google Chrome.

1) A use-after-free error related to PDFium can be exploited to corrupt memory.
2) An integer overflow error related to Angle can be exploited to corrupt memory.
3) An error related to V8 can be exploited to corrupt memory.
4) A use-after-free error related to Blink can be exploited to corrupt memory.
5) Another use-after-free error related to Blink can be exploited to corrupt memory.
6) An error related to Autofill can be exploited to disclose certain information.
7) An error related to Blink can be exploited to bypass cross origin restrictions.
8) An error related to Omnibox can be exploited to conduct URL spoofing attacks.
Note: The vulnerability #8 only affects Google Chrome running on Apple iOS.
9) An error related to V8 can be exploited to cause an out-of-bounds read memory access.
10) An error related to Blink can be exploited to bypass cross origin restrictions.
11) Another error related to Blink can be exploited to cause a heap-based buffer overflow.
12) An error related to exploit persistence extension exists. No further information is available.
Note: The vulnerability #12 only affects Google Chrome running on Android.
13) An error related to Angle can be exploited to cause a heap-based buffer overflow.
14) An error related to media reader. exists. No further information is available.
15) An error related to developer tools exists. No further information is available.
16) An integer overflow error related to PDFium can be exploited to corrupt memory.
17) Another integer overflow error related to PDFium can be exploited to corrupt memory.
Successful exploitation of the vulnerabilities #1 through #5, #11, #13, #16, and #17 may allow execution of arbitrary code.
18) An error related to download manager can be exploited to bypass cross origin restrictions.
19) An error related to forced navigation from service worker exists. No further information is available.
20) Multiple unspecified errors exist. No further information is available.
The vulnerabilities are reported in versions prior to 74.0.3729.108.

Below are the CVE identifiers associated with these vulnerabilities.

CVE-2019-5817, CVE-2019-5807, CVE-2019-5808, CVE-2019-5812, CVE-2019-5816, CVE-2019-5820, CVE-2019-5821, CVE-2019-5815, CVE-2019-5805, CVE-2019-5822, CVE-2019-5814, CVE-2019-5811, CVE-2019-5823, CVE-2019-5809, CVE-2019-5819, CVE-2019-5813, CVE-2019-5810, CVE-2019-5806, CVE-2019-5818

Impact

  • System access
  • Exposure of sensitive information
  • Execution of Arbitrary code
  • Spoofing
  • Security Bypass

Affected Vendors

Google

Affected Products

Google Chrome 73.x

Remediation

Upgrade Google Chrome to version 74.0.3729.108.


Copyright © Rewterz. All rights reserved.