Archive for January, 2020

Rewterz Threat Alert – Microsoft Detects New Evil Corp Malware Attacks on Financial Institutions

Severity

High

Analysis Summary

Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents. The final payload is being dropped using an Excel document that bundles a malicious macro. Evil Corp (also tracked as TA505 and SectorJ04) is a financially motivated cybercrime group known for focusing on attacks against retail companies and financial institutions via large-sized malicious spam campaigns driven by the Necurs botnet.This threat actor distributed remote access Trojans (RATs) and malware downloaders that delivered the Dridex and Trick banking Trojans as secondary payloads, as well as Locky, BitPaymer, Philadelphia, GlobeImposter, Jaff ransomware strains on their targets’ computer.

The new campaign uses HTML redirectors attached to emails. When opened, the HTML leads to the download Dudear, a malicious macro-laden Excel file that drops the payload.

The phishing messages come with HTML attachments which will automatically start downloading the Excel file used to drop the payload.The victims are instructed to open the Excel document on their computer as online previewing is not available and to enable editing to get access to its contents.Once executed on the victim’s computer, the malware will also attempt to drop an info-stealing Trojan tracked by Microsoft as GraceWire. Like most other info stealers, this will also start collecting sensitive information from the victim’s device and send it to its masters via a command-and-control server.

Impact

  • Information Theft
  • Additional malware infection

Indicators of Compromise

Domain Name

aka[.]ms

MD5

  • e4f3f79678ddb3e304a256fa20154fbe
  • 674f833c4c33f5cc9d156533c1b63e12
  • 8b2bd6352e0ffe8b0e2bad20b49c8682
  • 2ba8747d8ace2e2fb879bb272b8c650f
  • e832505580d44c7ad1bee8a67c3ee280
  • c4aaab31a70a34709e28baaebd209629

SHA-256

  • d75c0e88f203dce04e7c90a32a17cee25e5d3acbb5add7c33d257b8600281f2b
  • 6dee4408f563522f7fe5efb9891c409827643039bf7c8cd17c0d80bcc2997ece
  • b81302bc5cbfeddf3b608a60b25f86944eddcef617e733cddf0fc93ee4ccc7ab
  • bf86ccaf5e7f20124a259212a3a78dae12ec2594f48d5256a01323c772abc606
  • 63c137ed882560ba03b7333a49b0714990c581f4e8a1b7579b339c74f465aa03
  • 44ffbe69f8f189de7fa4f794686241ee4c814de90681bfff0a37e344ed12954e

URL

http[:]//aka[.]ms/MsftSecIntel

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to untrusted emails.

Rewterz Threat Alert – New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset

Severity

High

Analysis Summary

APT34 (also known as OilRig or Helix Kitten) is a cluster of Iranian government-backed cyber espionage activities that has been active since 2014. The group is known to target various international organizations, mainly in the Middle East. Among their targeted industries are government agencies, financial services, energy and utilities, telecommunications, and oil and gas.

A file named survey.xls that was designed to look like an employee satisfaction survey tailored to either Westat employees or Westat customers.

At first the spreadsheet appeared to be blank. Only once the victim enables macros, the survey is displayed to the user and the malicious VBA code begins to execute.

pasted image 0 15

The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:Users<User>valsClient update.exe”.

“Client update.exe” is actually a highly modified version of the TONEDEAF malware, which we named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.

pasted image 0 19
pasted image 0 11

Impact

Exposure of sensitive information

Indicators of Compromise

SHA-256

  • c10cd1c78c180ba657e3921ee9421b9abd5b965c4cdfaa94a58e383b45bb72ca
  • a897164e3547f0ce3aaa476b0364a200769e8c07ce825bcfdc43939dd1314bb1
  • d61eecd7492dfa461344076a93fc2668dc28943724190faf3d9390f8403b6411
  • 20b3d046ed617b7336156a64a0550d416afdd80a2c32ce332be6bbfd4829832c
  • 4c323bc11982b95266732c01645c39618550e68f25c34f6d3d79288eae7d4378

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – New Watering Hole Identified for Credential Harvesting

Severity

Medium

Analysis Summary

A Kuwaiti organization’s webpage used as an apparent watering hole. The webpage contained a hidden image which was observed between June and December 2019, and referenced domains associated with malicious activity conducted by the xHunt campaign operators. It is believed that the same threat actors involved in the Hisoka attack campaign compromised and injected this HTML code into this website in an attempt to harvest credentials from the website’s visitors; specifically, gathering account names and password hashes. It is yet to be confirmed but, it is possible that the actors intended to crack these hashes to obtain the visitor’s passwords or using the hashes gathered to carry out relay attacks to gain access to additional systems.

If successful in harvesting account credentials, the compromised data has a plethora of uses for the attackers and can allow them to breach an organization to steal sensitive information. Furthermore, because they’d be using trusted credentials, it can allow attackers to go undetected for long periods of time, enabling them to infiltrate other parts of an organization and even implement backdoors, like RATs, to get back into a system even after being removed. This can result in significant damage to an organization over a prolonged period of time.

Impact

Credential harvesting

Indicators of Compromise

URL

  • http[:]//ffconnectivitycheck[.]com/
  • http[:]//www[.]alforatsystem[.]com/%D9%85%D8%B7%D8%A7%D8%B1-%D8%A7%D9%84%DA%A9%D9%88%DB%8C%D8%AA-%D8%A7%D9%84%D8%AF%D9%88%D9%84%DB%8C/y[.]almayal[.]zip
  • https[:]//ns1[.]alforatsystem[.]com/
  • http[:]//googie[.]email/
  • http[:]//lowconnectivity[.]com/
  • http[:]//cloudipnameserver[.]com/
  • http[:]//www[.]cloudipnameserver[.]com/
  • http[:]//antivirus-update[.]top/
  • http[:]//google-update[.]com/cgi/1b50500dad/15687/7098/6a1b870f/227990648
  • http[:]//google-update[.]com/install/inst
  • http[:]//googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=GQVZDGJNSWAFJNRVAFIOSXCGKNRUYCHLPTWZ-9@21@2018%202@45@18%20PM2302725&sender=prizrak
  • http[:]//googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//google-update[.]com/install/inst/
  • http[:]//google-update[.]com/plugins/1b50500dad/15687/7098/6a1b870f/227990648/21353E1C29353F520B/True/True
  • http[:]//google-update[.]com/service/update[.]rd
  • http[:]//google-update[.]com/service/update[.]rdf
  • http[:]//google-update[.]com/service/update[.]xml
  • http[:]//ww11[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww25[.]googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//ww25[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww25[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=49[.]0[.]2623[.]75&lang=zh-CN&x=id=eilhmoehgahbfcoknmpkccbdpmojpijh&v=1[.]0[.]2&uc
  • http[:]//ww6[.]googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//ww6[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww6[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=57[.]0[.]2987[.]98&lang=zhCN&x=id%3Dfplobmecckpccjkcnojgljfpiaekbnic%26v%3D3[.]0[.]1%26installsource%3Dnotfromwebstore%26uc
  • http[:]//www[.]google-update[.]com
  • http[:]//www[.]google-update[.]com/service/update[.]xml?os=win
  • http[:]//www[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=49[.]0[.]2623[.]75&lang=zh-CN&x=id=eilhmoehgahbfcoknmpkccbdpmojpijh&v=1[.]0[.]2&uc
  • http[:]//www[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodve
  • rsion=57[.]0[.]2987[.]98&lang=zhCN&x=id%3Dfplobmecckpccjkcnojgljfpiaekbnic%26v%3D3[.]0[.]1%26installsource%3Dnotfromwebstore%26uc
  • http[:]//sakabota[.]com/

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Ryuk Ransomware – IOC’s

Severity

High

Analysis Summary

Many ransomware families have changed their tactics and victim-targeting in recent years. Rather than indiscriminate attacks against anyone they’re able to infect, they have moved to a process called “big game hunting”. The motivation underlying this change of tactics is to increase the potential payout by targeting an organization rather than an individual. The adversary performs extensive reconnaissance on the target to determine what they may be able to pay. Rather than small ransom demands in thousands of dollars, by targeting businesses, they are aiming for payouts in the hundreds of thousands to millions of dollars.

Hunting for Ransomware

One malware family in particular, Ryuk, has been attributed to the GRIM SPIDER threat actor group. This group has been operating the Ryuk ransomware since August of 2018. In recent months, a staged attack dubbed “triple threat” has emerged with the initial access to the network achieved by the Emotet malware family. Once initial access is achieved, the next stage, TrickBot, delivered inside the target organization. TrickBot has capabilities to steal credentials and to move laterally within the organization’s network. The third stage of the attack is to execute Ryuk ransomware on as many workstations and servers as possible via the lateral movement of TrickBot.

Impact

File encryption

Indicators of Compromise

MD5

c8325c660ea72a8eb5281898f7a87f34

SHA-256

18faf22d7b96bfdb5fd806d4fe6fd9124b665b571d89cb53975bc3e23dd75ff1

SHA1

dd318ffdd4b1081733dccf95cddb4e000814e005

Remediation

  • Block all threat indicators at your respective controls.
  • always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Vivin’s Cryptominers Spreading Through Pirated Software

Severity

Medium

Analysis Summary

A new threat actor, tracked as “Vivin,” is found conducting a long-term cryptomining campaign. The group is responsible for mining thousands of U.S. dollars in Monero cryptocurrency off of their infected hosts.This actor used pirated software as an initial infection vector, masquerading their malware as popular software. Once the initial infection was completed “Vivin” quickly moved to common Windows tools. This actor has been successful pivoting their infrastructure and wallets as needed to maintain effectiveness. Vivin set their miners to utilize up to 80 percent of a system’s CPU resources.

Impact

  • Cryptocurrency mining
  • Slow system performance

Indicators of Compromise

Hostname

  • spoolsv[.]linkpc[.]net
  • mstsc[.]publicvm[.]com
  • mmc[.]publicvm[.]com
  • lsass[.]publicvm[.]com
  • csrss[.]publicvm[.]com
  • csrss[.]linkpc[.]net
  • www[.]m9c[.]net
  • ddl3[.]data[.]hu

MD5

  • b3e7aa693426736a592f3c9285f4d43f
  • 7461a1b47ce7d208ba092b1173877770
  • aeb6550fe0b4d7e84621bca174db8c75
  • afe892d48afb47428978892bf4fe65b7
  • fd820480df12caf43951f5f89f8deefc
  • 99f9f9bab13d4ebf030d6420fd776611
  • 2db6239d671016cb532975b2bb628e79
  • 3ae16e13c63ed3e7cd93cb7d2794cf98
  • 1f3528f48ae248a7f6bbe0b7ca194493
  • 768987f4b8dd8983b07824407e347797
  • 7a125adabc06ecc7c0d47a80d5efc16f
  • 1ba6b23a139f0f46c31f74b174f48be2
  • 52cd78b005e51ccce5ee5964ee326580
  • f0d6a0f3533541dec8e747c4f047e7f3
  • f531d573e5c6d5d0d07f949cb2b5b3b4
  • 5f7a3691420337a2edb87fb663cafd34

SHA-256

  • 31ac877d8c2c2a897eaff36b17d755466b8612ad2661510dd6b0d9484a2b1f6f
  • 51f9a6d7574361bcf49962e2471a1d096db6c0d713ae07485b2791e74134513c
  • 9d7f2684a4efdb4738527d37b7995a40d819909d08e7443a6583231a1454b50b
  • 47928d09921466ddf1597e1ef7e8ac12397df7e616cd0c1710f4fa8a6384b439
  • 705646f923a2412757bae71b60de0fef31284756768a59ef2057eaee7dfafe9f
  • f476867d8152fcf0cb989b0e2c935db87c37162af33350874d671f99154752cf
  • 8b7c197efab6f6c40b51df125d00e3de211ebb5123ee876f1992f03401559cda
  • ea647990182d7d3ac82ff9b6c99ed70a10473da16bc55eadb76131f78ed65fb9
  • 5dc7239df2e9fb497335cc846e09dfdd024e7345c44a96693022bedd240954de
  • a115451603cf9687c8c46945432033a942b4cd46a4209868e226e25a1a2e0ee1
  • 5331924e1e5a634e55e7a3daaff3d5204eff50c4dc166d4d9d516510fb91fa4e
  • 4ac6131d639aa802302ab4cf32b959f9ab5ec76752cc297eb380d5c23d4a68f2
  • 524fbc5fff1e91adcd4c72ce83b7f33fa424acefafb198f1701484cedc17c590
  • 79557c6d190d7daf34f10c7929facf56838ab27a5925f6f5197e1c0cbd660de3
  • da6908445649d30aff3f6ac9d9ec11c5f52c888c867ede766993c0fe731295fe
  • 8aa5d523158838bf58a80744f031192314215a3d4c32c4f8644f93370828825b

Source IP

  • 116[.]203[.]234[.]128
  • 116[.]203[.]29[.]111

URL

  • http[:]//csrss[.]publicvm[.]com[:]8094/Vre
  • http[:]//csrss[.]publicvm[.]com/Vre
  • http[:]//csrss[.]linkpc[.]net/Vre
  • http[:]//www[.]m9c[.]net[:]80/uploads/15621655811[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15723243711[.]png
  • http[:]//www[.]m9c[.]net/uploads/15572403801[.]jpg
  • http[:]//ddl3[.]data[.]hu/get/210358/11615096/Loader[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15743593161[.]jpg
  • http[:]//www[.]m9c[.]net/uploads/15723168051[.]png

Remediation

  • Block the threat indicators at their respective controls.
  • Prevent the use of pirated software on endpoints.
  • Enable systems resource monitoring for detecting excessive or abnormal resource usage on endpoints.

Rewterz Threat Advisory – CVE-2019-12636 – Cisco Small Business Smart and Managed Switches Cross-Site Request Forgery Vulnerability

Severity

High

Analysis Summary

Cisco Small Business Smart and Managed Switches are vulnerable to a Cross-Site Request Forgery flaw. A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface on an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the targeted user. If the user has administrative privileges, the attacker could alter the configuration, execute commands, or cause a denial of service (DoS) condition on an affected device.
Cisco has released software updates that address this vulnerability.

Impact

  • Cross-site Request Forgery
  • Privilege Abuse
  • Unauthorized Command Execution
  • Denial of Service

Affected Vendors

Cisco

Affected Products

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 550X Series Stackable Managed Switches
  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

Remediation

Cisco fixed this vulnerability in Release 2.5.0.90 for the following Cisco products:

  • 250 Series Smart Switches
  • 350 Series Managed Switches
  • 550X Series Stackable Managed Switches

Cisco fixed this vulnerability in Release 1.4.11.02 for the following Cisco products:

  • Small Business 200 Series Smart Switches
  • Small Business 300 Series Managed Switches
  • Small Business 500 Series Stackable Managed Switches

Copyright © Rewterz. All rights reserved.