Archive for November, 2019

Rewterz Threat Alert – Thanksgiving eCard Emails Distributing Malware

Severity

Medium

Analysis Summary

Malware distributors are sending out holiday themed emails to distribute the Emotet Trojan and other malware.  Thanksgiving Day greeting cards and office closing notices with last minute invoices embedded with malware are being pushed via malspam. Users who fall for the emails and open the attached word documents will be left with a Windows computer infected with a password-stealing Trojan and possibly other malware. 

Thanksgiving Day Greeting Card malspam

Another malspam campaign pretends to be responding to a previous query email and drops malware.

closed-office-spam.png

This email template also tells the user that they are closed for the Thanksgiving holiday and upcoming future holidays. This may be done to create a sense of urgency and to have the recipient open the email. Holiday themed lures coupled with the holiday business closures are likely to make users slip and open the attachments. These Word documents contain obfuscated macros and demand the users to click on ‘Enable macros”, “edit content” or “Enable content”. This will either download malware from a remote host or extract it from an embedded payload. For the Emotet malspam, the malware will be extracted to a folder under the %LocalAppData% folder and then executed.

Impact

  • Credential Theft
  • Unauthorized Remote Access
  • Ransomware infection

Indicators of Compromise

Filename

Thanksgiving-eCard.doc

MD5

51f5030a078f61a092f6876bca6efc53

SHA-256

a422f8d486c0f16d7629674570d187c9bcedd262c607ccc77709f9ab431de179

SHA1

b4c2e1c721c4287014bcb5e02700afb667b998fd

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to holiday lures.
  • Do not download files coming in untrusted emails.
  • Do not enable macros without validating the legitimacy of their source.

Rewterz Threat Alert – Dexphot Malware Hijacked 80K+ Windows Computers to Mine Cryptocurrency

Severity

High

Analysis Summary

A new malware strain dubbed Dexphot has attacked more than 80,000 windows computers to mine cryptocurrency and target monitoring services and scheduled tasks to rerun the infection if windows defender removed it. The malware uses fileless techniques, it gets malicious codes executed directly in memory and also it hijacks the legitimate process to hide the malicious activity.
An obfuscated script designed to check for antivirus products, and regularly-scheduled malware updates is used in the infection to install a coin miner that silently steals computer resources and generates revenue for the attackers. During the initial execution stage, Dexphot first writes five key files to the disk. With the exception of one of the files – an installer with two URLs – most of these files are legitimate processes, making detection of the malware difficult. These legitimate system processes include msiexec.exe (for installing MSI packages later in the process), rundll32.exe (for loading a loader DLL, which later downloads a password-protected ZIP archive), unzip.exe (for extracting files from the password-protected ZIP archive), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). Meanwhile, the lone non-legitimate file (SoftwareBundler:Win32/ICLoader) is primarily used to run the Dexphot installer.

Once running, the installer then uses two URLs to download malicious payloads. Dexphot also uses these two URLs later to establish persistence, update the malware and re-infect the device.

Impact

  • Process hijacking
  • Cryptocurrency mining

Indicators of Compromise

Domain Name

winc[.]com

MD5

  • 3b9c87fab8d8d63073eda151c95c51c6
  • eaf2fac5c3474ce2016ed0c94e3e8db7
  • 65ed10b49ea4bb2d07a5d677854fc2d2
  • 9a3bc2e33e24696329b46feaab0ad68d
  • 7d32ab66e40d145b67bce42b871624e5

SHA-256

  • aa5c56fe01af091f07c56ac7cbd240948ea6482b6146e0d3848d450977dff152
  • 22beffb61cbdc2e0c3eefaf068b498b63a193b239500dab25d03790c467379e3
  • 504cc403e0b83233f8d20c0c86b0611facc040b868964b4afbda3214a2c8e1c5
  • 72acaf9ff8a43c68416884a3fff3b23e749b4bb8fb39e16f9976643360ed391f
  • 537d7fe3b426827e40bbdd1d127ddb59effe1e9b3c160804df8922f92e0b366e

Remediation

  • Block the threat indicators at their respective controls.
  • Refrain from visiting untrusted URLs found in email attachments, Ads or elsewhere on the internet.
  • Do not download files attached in unexpected emails.

Rewterz Threat Alert – New DeathRansom Ransomware Successfully Encrypts Victim’s Files

Severity

High

Analysis Summary

Active distribution campaigns are running for the newly created DeathRansom ransomware. Initially, the ransomware failed to properly encrypt victims’ files, but now it’s successfully encrypting files on target systems with a constant surge in its distribution. 

When DeathRansom is launched it will attempt to clear shadow volume copies. It will then encrypt all files on the victim’s computer other than those found whose full pathnames contain the following strings:

programdata 
$recycle.bin 
program files 
windows 
all users 
appdata 
read_me.txt 
autoexec.bat 
desktop.ini 
autorun.inf 
ntuser.dat 
iconcache.db 
bootsect.bak 
boot.ini 
ntuser.dat.log 
thumbs.db

This functional variant does not append an extension to the name of encrypted files. The only way to identify that the file is encrypted by DeathRansom is by the ABEFCDAB file marker appended to the end of encrypted files.

File marker

In every folder that a file is encrypted, the ransomware will create a ransom note named read_me.txt that contains a unique “LOCK-ID” for the victim and an email address to contact the ransomware developer or affiliate. 
 

DeathRansom Ransom Note


One strange thing that was noticed is that numerous victims who have been infected by DeathRansom were also infected by the STOP Ransomware. As STOP is only distributed through adware bundles and cracks, it is possible the DeathRansom may be distributed in a similar manner. 

Impact

  • Files Encryption
  • Loss of data

Indicators of Compromise

MD5

  • d9fef3c67805829cd94b1a35b4ec6ae1
  • b6491dcadee919a26e508b3341d0f940
  • a35596ed0bfb34de4e512a3225f8300a
  • 886ee5834ae019a5c8bce4326b88cfb7
  • 38f52fac57482d77b960faff79f44474
  • c50ab1df254c185506ab892dc5c8e24b
  • 9a65f7be424658a64f8c1112d4d75d7a
  • 8ea78e5a123c13c3bda144d0fcf430c0
  • f9363e88fde74b43bd7da4528369d7e5
  • 4ba2e1d4cf7a86753f9f8174b3bc74c8

SHA-256

  • 87d745aa921f201bccb4dd6a6f5af9f0d9c9312114f46779c8980b6f8193f099
  • da47aa3b75c85091c708366a8d8534789887b6cc42f42794b0652e280d56a405
  • 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1
  • fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8
  • 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915
  • ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4
  • 5ac169ed286f20cbb4a18a078f0a090b5771a5155120ffca8bd7f875b38ae8a6
  • 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1
  • 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8
  • 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def

SHA1

  • 80f7907a532c3ca733e4677a1f33f526b216c7c9
  • cdf613eb63e007ecb046d5456957016666c3a0e8
  • d25e71e5c9dca131b372d9ec7fe9a2eb6adf8221
  • 65b5f8cc7b0b6315fe934578f9cad4faf7da41f2
  • 81ab3744cefe56a7f4fb3ac49700064fa3f9e183
  • aeb09e894736cbb41e934f83cca0247fe89d8a19
  • 6ed53078e815301ac7b0c20cdf6c8036f7b393db
  • 742128fab2ad05f8f52a4c6f43b39a25fcc161a6
  • c28603e1f40933f655f400348018d58b5e709b54
  • e61fbe95e09a3ce51b9b2fb836d1018eeef2905a

Remediation

  • Block the threat indicators at their respective controls.
  • Strictly avoid clicking on random ads found on the internet.
  • Do not follow links given in untrusted emails and do not download untrusted email attachments.

Rewterz Threat Alert – KingMiner Cryptocurrency Mining Malware

Severity

High

Analysis Summary

Blasting attacks against weak SQL passwords are resurfacing as KingMiner miners have controlled tens of thousands of computers. KingMiner variant is a Monero coin mining Trojan that performs a blasting attack against a Windows server MSSQL. Attackers have used a variety of evasion techniques to bypass the virtual machine environment and security detection, which caused some anti-virus engines to fail to detect it accurately. The current version of KingMiner has the following features: 
1.     Blasting attacksagainst MSSQL 
2.     Use WMI timers and Windows scheduled tasks for persistent attacks
3.     Shut down the RDP service on the machine with the CVE-2019-0708 vulnerability to prevent other mining groups from invading and monopolize the controlled computer mining resources
4.     Use base64 and specific encoded XML , TXT , PNG files to encrypt Trojan horse programs
5.     Using the signature files of Microsoft and several well-known manufacturers as the parent process, “white + black” starts the Trojan DLL .

bc67a9e27a0b2363cce40865fd937339.png

The attack uses the Windows privilege escalation vulnerability CVE-2019-0803. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode and then install programs; view, change, or delete data; or create users with full user rights New account.

Impact

  • Crypto-currency mining
  • Unauthorized Access
  • Privilege Escalation
  • Remote Code Execution

Indicators of Compromise

Hostname

  • 4056[.]309cffdae[.]tk
  • aa[.]30583fdae[.]tk
  • news.g23thr[.]com
  • q.112adfdae[.]tk
  • w.30713fdae[.]tk
  • 5921[.]1d28ebfdae[.]com
  • w.homewrt[.]com
  • 3843.1d28ebfdae[.]com
  • ww33.3096bfdae[.]com
  • a.1b051fdae[.]tk
  • 3023.309cffdae[.]tk
  • q.30583fdae[.]tk
  • a.qwerr[.]ga
  • w.ddff1[.]tk
  • 5311.1d28ebfdae[.]com

MD5

  • e3accf5a6f58932e56192bfbcbf0804c
  • c874dbb6bf3664990b57d07d7d220ee6
  • 78b56b92c2e7a42520fb99a84d78cf92
  • b0ab674b842822358be8cd5f6dc91554
  • 2b702a22963448c164db26807a308d50
  • be45959bc043a4fe88351cd03289f240
  • c568d6028735cdc2a1ddd3c01f14ca80
  • 21048ff02894656b5b24d4ed3c8a2882
  • 465373b74d163028add70f0d2b0966d0
  • 7def058c5d2acb660f394d04b4698580
  • 23ef4da80f6985a78c4a59467ac4612f
  • 88a5c4645c2a9d0481fd0a846e49b773
  • 4d910cb71c2f55bde48521f7ae062da4
  • 20e502ff977b336d9e7785186b16c68a

SHA-256

  • 9714ea73cb7d5515e33c14718e47eea2db6bf52cd5371422e663a96ec03af9ee
  • bddaca596cb8b29b314c380b0fa42566a3d7e669506b3a0dc645bf6da51146dd
  • e780de64c5a571d14eed791bc70d462f8724e2d54c8494b37085cefe7816db54
  • e0a4c175db246124881405010af97b08abb60889a41f4080ede7bdd160a8469b
  • 3902d0bfbb18ba27084713bdda1ccb23f19934f6621df70ac11aed0b6ee4efb3
  • 5359884aa9fa78763e46a6aa86d4796dfb1bbb3533026cf324166e55d8a4e4e9
  • 1f7c6f11af601500c50b5ad04e0952aa835c54aba0c85dd62875eab34d0150b1
  • c235c44e7904d04c5bd0db76d9b55eb53f0fdb8631a1c9eb6ca3d2bc6494ab02
  • 995108745ef411df25b7cf47d4609d12e4408e674ca6fd882114cd5c19e2bf01
  • f92387df7c80e7e379a02f118cbdb5643151da3a99e61270ca890ce62bca82d9
  • 5bbb40df52745e6762b1b216df692a72ac0491f473b979b22fd310fcbddc114c
  • 46131dedf1962a9bda9035eee75058e60d5725d45afb5ea74c614a33f6083b8a
  • 0fb48695bb5796c214958868ed0d6fdd0ebd2b9c9ad0e273549c442a0b7f8006
  • de9a4dc5507eb4bdcdcb173313e55fc3091a93e270b9bd10c28fc4d8cca84093

Source IP

  • 107.154.161[.]209
  • 95.179.131[.]54
  • 107.154.158[.]39

URL

  • hxxp[:]//w.30713fdae[.]tk/32a1[.]zip
  • hxxp[:]//w.homewrt[.]com:9761
  • hxxp[:]//95.179.131[.]54:9761
  • hxxp[:]//32a1[.]zip/64a1.zip
  • hxxp[:]//w.30713fdae[.]tk/32tl.zip
  • hxxp[:]//w.homewrt[.]com:9761
  • hxxp[:]//95.179.131[.]54:9761
  • hxxp[:]//32a1[.]zip/64a1.zip
  • hxxp[:]//w.30713fdae[.]tk/32tl.zip

Remediation

  • Block the threat indicators at their respective controls.
  • Fix the elevation of privilege vulnerability CVE-2019-0803.
  • Reinforce the SQL Server and patch server security holes. Use a secure password policy and strong passwords.
  • Modify the default port of the SQL Server service, change the default 1433 port setting based on the original configuration, and set the access rules to reject 1433 port detection.

Rewterz Threat Alert – Lazarus DTrack – IOC’s

Severity

High

Analysis Summary

Cyberbit has released a report on a Remote Administration Tool (RAT) called Dtrack that was used in an attack on the Indian nuclear power plant (Kudankulam Nuclear Power Plant or KNPP for short) in what appears to be an APT attack. The North Korean threat group Lazarus (tracked internally as ITG03 by IBM), also widely known as HIDDEN COBRA, is believed to have authored Dtrack. Internal credentials for KNPP’s network were hard-coded into the version of Dtrack examined implying it was the second phase of a targeted attack. Along with the Dtrack variant, three droppers were also found in the network that share techniques similar to those used by the banking trojans, BackSwap and Ursnif. BackSwap inserts itself into legitimate applications, such as OllyDbg, 7-Zip and FileZilla. This has an advantage in that the icon and program details appear to be legitimate. The Ursnif variant found was compiled without the NX-bit set. This allows the malware to execute code directly from its heap or stack.

Impact

Exposure of sensitive information

Indicators of Compromise

SHA-256

  • 16fe4de2235850a7d947e4517a667a9bfcca3aee17b5022b02c68cc584aa6548
  • 58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb
  • 6bb85a033a446976123b9aecf57155e1dd832fa4a7059013897c84833f8fbcf7
  • 9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd
  • bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
  • fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702

Remediation

  • lock all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Payment Service Platform Phishing

Severity

Medium

Analysis Summary

While reports of web skimmers have become fairly common over the last year or so, every so often there is a twist. A report from Malwarebytes Labs looks at the activities of a group who not only carry out skimming attacks, but also use phishing pages crafted to resemble those of payment service platforms to obtain credentials. The skimmer code is injected into web pages using the file “ga.js” which is crafted to appear as a Google Analytics library. The sample analyzed in the report is almost identical to the legitimate page with the only giveaway being the domain name involved. Once a victim enters their data into the fraudulent page, they will be redirected to the legitimate page and even have the correct payment amount inserted into the page.

Impact

Financial loss

Indicators of Compromise

IP

  • 124[.]156[.]34[.]157
  • 47[.]245[.]55[.]198
  • 5[.]53[.]124[.]235

URL

  • payment-mastercard[.]com
  • google-query[.]com
  • google-analytics[.]top
  • google-smart[.]com
  • google-payment[.]com
  • jquery-assets[.]com
  • sagepay-live[.]com
  • google-query[.]com
  • payment-sagepay[.]com
  • payment-worldpay[.]com

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders. 

Copyright © Rewterz. All rights reserved.