Archive for December, 2019

Rewterz Threat Alert – Cobalt Group Operations Targeting Financial Institutions

Severity

High

Analysis Summary

Cobalt group activities against financial institutions have been discovered using the CobInt malware family. The malspam e-mail distribution associated with these activities have a direct connection with subsequent successful attacks on the bank’s infrastructure (PCs, card systems, etc.). In particular, there were recorded cases of successful ATM Cashout attacks (substantial withdrawals from ATMs) and ATM jackpotting attacks (unauthorized delivery of funds from bank ATMs with the help of a remote criminal team) in countries within Europe, Eastern Europe, and Central Asia.

Impact

  • Theft of financial information
  • Fraudulent transactions

Indicators of Compromise

Domain Name

  • recreationbike.info
  • adminassistance.info

From Email

  • service@sonshinellc.com

MD5

  • ffb1a030d9f01d6c7f2d9299728dd4b1
  • 7901f9317baa81dc6cef72809d003929
  • 82fc2a2b268a43b842cf5c0666633642
  • 7d339ee10e6561f1fb9de3ab05dd4fb8
  • b372fd09864d839112b79b7f0675f7df
  • fd6e378ee8e518113893e4f157efe74e
  • ab2c0d36529119e91fa84562a03307f7
  • 88921c119f409b6db12e7559b0a64066

SHA-256

  • a543875233178887968d760b2d16c12ecdf4ff54d1ded8bd8416a0b560b0d3f9
  • 614e2555e87052bd095630d408e8217814307a3ad9ddec832414628276e7014f
  • cdd87d3cc8807c18d7fb2f67768f4db76506deaabfc57a47ff2f5f5c798e9951
  • bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
  • 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7
  • bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
  • fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79
  • 2c542c38d15d6e25cf33e742716bf1ca14db791d568686ccd8ca09cadda83c7e
  • 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f

SHA1

  • 28f92813a6539d498617131453f18c2905ad3a61
  • 72aff6b2e5768d178fe750593f7a2a21013c7148
  • c08c1dfafbbf215a545af61626f0f6359fdb4e1f
  • eafa2728ee0cb68085444536bf560eea47c6b7f6

Source IP

  • 184.154.136.86
  • 45.67.57.167
  • 193.124.16.34

URL

  • hxxps://recreationbike.info/yjviyicynwupyyolyk
  • hxxps://recreationbike.info/mlzqrzuopsbrszizfstnhztrztlxvazpriyzezca
  • hxxps://recreationbike.info/tzlwxzwwqivsszyqenqfbpyxjtdlwfzuzpvmlpzeba
  • hxxps://recreationbike.info/edczvdtvbzequbuzkchpdzsavzegqzuwuzdhgezewzn
  • hxxps://adminassistance.info/dyveunetbaioaertfahy

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated and patched against all known security vulnerabilities.
  • Implement real-time monitoring of ATMs to ensure that suspicious activity or processes involving ATM software is identified.
  • Keep ATM software patched and up-to-date.
  • Work with the ATM vendors to address overall ATM security.

Rewterz Threat Alert – BRONZE PRESIDENT Active in South and East Asia

Severity

Medium

Analysis Summary

BRONZE PRESIDENT is a likely People’s Republic of China (PRC)-based targeted cyber espionage group that uses both proprietary and publicly available tools to target NGO networks. Collected evidences indicate that network intrusions by this threat group may date back to 2014. The BRONZE PRESIDENT cyber espionage group targets NGOs, as well as political and law enforcement organizations in countries in South and East Asia. The threat group appears to have developed its own remote access tools that it uses alongside publicly available remote access and post-compromise tool-sets. After compromising a network, the threat actors elevate their privileges and install malware on a large proportion of systems. The group runs custom batch scripts to collect specific file types and takes proactive steps to minimize detection of its activities.

Impact

  • Unauthorized remote access
  • Network Intrusion
  • Privilege Escalation
  • Information Theft

Indicators of Compromise

Domain Name

  • svchosts.com
  • wbemsystem.com
  • svrhosts.com
  • strust.club
  • apple-net.com

MD5

  • 5f094cb3b92524fced2731c57d305e78
  • e5a23e8a2c0f98850b1a43b595c08e63
  • 0d3fbc842a430f5367d480dd1b74449b
  • 0617cad9e5d559356c43d4037c86227f

SHA-256

  • fb3e3d9671bb733fcecd6900def15b9a6b4f36b0a35bdc769b0a69bc5fb7e40d
  • 918de40e8ba7e9c1ba555aa22c8acbfdf77f9c050d5ddcd7bd0e3221195c876f
  • 59aaa2b8116ba01c1b37937db37213ff1f4a8552a7211ab21f73ffac2c0c13ce
  • 2ea9ccf653f63bcc3549a313ec9d0bada341556cc32dd2ca4b73e0c034492740

URL

  • https://forexdualsystem.com/

Remediation

Block the threat indicators at their respective controls.


Rewterz Threat Alert – Zeppelin: Russian Ransomware Targets High Profile Users

Severity

Medium

Analysis Summary

Zeppelin is the newest member of the Delphi-based Ransomware-as-a-Service (RaaS) family initially known as Vega or VegaLocker. Zeppelin appears to be highly configurable and can be deployed as an EXE, DLL, or wrapped in a PowerShell loader. The samples are spread via malspam and are hosted on water-holed websites and, in the case of PowerShell, on Pastebin. There are reasons to believe at least some of the attacks were conducted through MSSPs, which would bear similarities to another recent highly targeted campaign that used a ransomware called Sodinokibi. 
There is a major shift in their targets from Russian-speaking to Western countries, as well as differences in victim selection and malware deployment methods. Earlier this month, the ransomware targeted healthcare and IT.

Indicators of compromise are given below. However, the URLs for this domain were found clean while the files communicating with it were found to be malicious. 

image-1577788009.png

Impact

Files encryption

Indicators of Compromise

Domain Name

  • tutanota.com
  • protonmail.com
  • iplogger.ru
  • iplogger.org
  • firemail.cc
  • yandex.direct
  • ntdetect.com
  • torbox3uiot6wchz.onion
  • cock.li (see evidence above)

From Email

  • bad_sysadmin@protonmail.com
  • Vsbb@firemail.cc
  • Vsbb@tutanota.com
  • buratino@firemail.cc
  • buratino2@tutanota.com
  • ran-unlock@protonmail.com
  • ranunlock@cock.li
  • buratin@torbox3uiot6wchz.onion

MD5

  • 1d6ce900a8b2bf19fc993cad4f145fa8
  • 968503a249052f5d214d3d368fe49e0c
  • 36ebf768b89bf5bf329b5e4d17ed99e1
  • f8a5d94ebd48bd371cb4d751507319e9
  • 386157f4cab9327d01a7210da9237ef0
  • c0e88cbb811aa4a59f79c392120c559a

SHA-256

  • e22b5062cb5b02987ac32941ebd71872578e9be2b8c6f8679c30e1a84764dba7
  • 04628e5ec57c983185091f02fb16dfdac0252b2d253ffc4cd8d79f3c79de2722
  • 4894b1549a24e964403565c61faae5f8daf244c90b1fbbd5709ed1a8491d56bf
  • 39d8331b963751bbd5556ff71b0269db018ba1f425939c3e865b799cc770bfe4
  • d61bd67b0150ad77ebfb19100dff890c48db680d089a96a28a630140b9868d86
  • 1f94d1824783e8edac62942e13185ffd02edb129970ca04e0dd5b245dd3002bc

URL

  • http://iplogger.org/1wF9i7.jpeg
  • http://iplogger.org/1syG87
  • http://iplogger.org/1Hpee7.jpeg
  • http://iplogger.org/1HVwe7.png
  • http://iplogger.org/1HCne7.jpeg
  • http://iplogger.org/1H7Yt7.jpg

Remediation

Block the threat indicators at their respective controls.


Rewterz Threat Alert – Malspam Pushes the Information Stealer ‘Lampion’

Severity

Medium

Analysis Summary

Email templates based on the Portuguese Government Finance & Tax are being used to push Lampion malware via malspam. Portuguese users were targeted with these emails that reported issues related to a debt of the year 2018. When the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.

As observed, after extracting the file, three files are presented.

The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.

The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.

Impact

Exposure of sensitive information

Indicators of Compromise

MD5

  • 3350e74a4cfa020f9b256194eae25c12
  • e7bdce5505ee263530dea04c2fdc661f
  • 18977c78983d5e3f59531bd6654ad20f
  • 76eed98b40db9ad3dc1b10c80e957ba1

SHA-256

  • 418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047
  • f7a7a5144e72e83d4a12c9abc2a6a2875a23e6adce425fde2428b8f7b46b1a7e
  • eb3f2be571bb6b93ee2e0b6180c419e9febfdb65759244ea04488be7c6f5c4e2
  • 54b6af48991c5c03a5a905eeb5d922eef86678b2bfc3f77d784b3d91691837e1

URL

http[:]//100.26.189[.]49/PY/App[.]php?=5wzpz2e7xglkzmh

Remediation

  • Block the threat indicators at their respective controls.
  • Strictly avoid clicking on URLs found in untrusted emails.
  • Do not download files from untrusted emails or random sources on the internet.

Rewterz Threat Alert – Predator The Thief Malware – IoCs

Severity

High

Analysis Summary

A malspam campaign is spreading the predator malware via malicious documents and URLs. The “Predator the Thief” stealer is capable of stealing stored passwords, cookies, credit card information, and crypto wallets and sending the data back to its C2 server. C2 domains associated with this campaign are given below. 

Impact

  • Exposure of sensitive information
  • Credential Theft
  • Financial Loss

Indicators of Compromise

Domain Name

  • grsme[.]info
  • yoursmb[.]info

MD5

b05745fd160410d8067766b8ed2c19ce

SHA-256

c7764105809a4a01c9a3e9a3fcc8b208f4a78903b3508a17d60cfbb789c4d4bc

SHA1

c0b4e6233e40f4c3c9120fdec11a1cd70b74ae18

Source IP

92[.]63[.]197[.]238

URL

  • http[:]//grsme[.]info/FruhT[.]com
  • http[:]//yoursmb[.]info/api/check[.]get
  • http[:]//yoursmb[.]info/api/gate[.]get?p1=2&p2=15&p3=0&p4=0&p5=0&p6=0&p7=0&p8=0&p9=2&p10=sZf0AvMFuI
  • N2IGKyxUgAfZrJWd5eBvZWFIpR
  • http[:]//grsme[.]info/sRera[.]com
  • http[:]//grsme[.]info/tjGw[.]com

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in emails coming from unknown sources.
  • Do not visit URLs attached with untrusted emails.
  • Do not enable macros for files accidentally downloaded when you visit a URL.

Rewterz Threat Advisory – Google Chrome Affected By Magellan 2.0 Flaws

Severity

High

Analysis Summary

Five vulnerabilities in Google Chrome that stem from SQLite could enable remote code execution. Dubbed Magellan 2.0, the flaws exist in the SQLite database management system. SQLite is a lightweight, self-contained database engine utilized widely in browsers, operating systems and mobile phones. Researchers were able to successfully exploit the Chrome browser leveraging the five vulnerabilities: CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753. The vulnerabilities could be exploited remotely via a crafted HTML page to launch an array of malicious attacks – allowing attackers to do anything from “bypass defense-in-depth measures” to “obtain potentially sensitive information from process memory.”

“If you are using a software that is using SQLite as component (without the latest patch), and it supports external SQL queries… Or, you are using Chrome that is prior to 79.0.3945.79 and it enabled WebSQL, you may be affected”, reports the advisory. The official fixed Chrome version 79.0.3945.79 has been released.

Impact

  • Remote Code Execution
  • Security Bypass
  • Information Disclosure

Affected Vendors

Google

Affected Products

Chrome/Chromium browsers prior to version 79.0.3945.79 with WebSQL enabled

Remediation

  • If your product uses Chrome/Chromium, please update to the official stable version 79.0.3945.79.
  • If your product uses SQLite, please update to the newest code commit.

Copyright © Rewterz. All rights reserved.