Archive for category Rewterz News

Rewterz Threat Alert – Emotet Revival with Spam Emails Around the World

Severity

Medium

Analysis Summary

Emotet is back and targeting different users around the world with it’s tactics. It’s fair to say that Emotet is now targeting almost 66,000 unique emails for more than 30,000 domain names from 385 unique top-level domains (TLDs).

As for the origin of the malicious emails, It came from 3,362 different senders, whose credentials had been stolen. The count for the total number of unique domains reached 1,875, covering a little over 400 TLDs.

image-1568704291.png

At the beginning there was no definitive answer on the payload, only unconfirmed reports that some U.S.-based hosts received Trickbot, a banking trojan turned malware dropper, as a secondary infection dropped by Emotet.

From current observations and spam emails shared with by Cofense and JamesWT, Emotet’s campaign today relies mostly on emails having a financial theme and appearing to come as a reply to a seemingly previous conversation. This was noticed with the following message in English:

Emotet-email-sampleEN.png

Polish and Italian users received a similar message, urging them to take a look at a bill that caused some problems:

Emotet-email-sampleIT.png

In a message likely to a German recipient, the sender claimed there were issues with some documentation and asked the recipient to take a look:

Emotet-email-sampleDE.png

Impact

  • Credential theft
  • Exposure of sensitive information

Indicators of Compromise

URLs

  • http[:]//www[.]biyunhui[.]com/fj/wbTKndf/
  • http[:]//www[.]gongdu[.]xin/wp-content/sites/vxjSizeWJoGWVZTLYRXkACmh/
  • http[:]//www[.]gcesb[.]com/wp-includes/customize/zUfJervuM/
  • http[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
  • https[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
  • http[:]//173[.]212[.]203[.]26[:]8080
  • https[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
  • http[:]//pep-egypt[.]com/eedy/xx3yspke7_l7jp5-430067348/
  • http[:]//www[.]gcesab[.]com/wp-includes/customize/zUfJervuM/
  • http[:]//broadpeakdefense[.]com/fbsgf/McZcBMeM/
  • http[:]//danangluxury[.]com/wp-content/uploads/KTgQsblu/
  • http[:]//think1[.]com/wp-content/upgrade/2na4-4q5g-751619964/
  • https[:]//bondagetrip[.]com/wp-content/y0gm3xxs_hmnw8rq-764161699/
  • http[:]//www[.]situsjudimurah[.]com/wp-admin/Q1HZVMVATQ/VjliXWJED
  • http[:]//nautcoins[.]com/wp-includes/AcZxFxQ/
  • http[:]//autorepuestosdml[.]com/wp-content/CiloXIptI/
  • http[:]//lecairtravels[.]com/wp-admin/bXwjcdeg/

Malware Hash (MD5/SHA1/SH256)

  • 58cccf82558dfca7263efc5fcd4a5564e98dca436b20c469aab08756b0ba2269
  • 63b91a543f51d6eb61bd00c1bd63dd1711795eb0fa388ded2cd5dd87067d30fa
  • 7344ae2efd7ab63cde1ef4e751591b18e5ede90f466c080ceaeeda3f8a3555a7
  • bf338c7de316e7f886a8731dbf62900431b5968a2d923c016fbd21e929f9bbf2
  • 9e71b69aadd4dfbada4ad76ecdf1c775dbf2858240f27add9d7cb305caa7cdb5
  • 7c2b60ac2be19bcbe674b05f9d306458323bfec554c26f5f68a13f33efbf3343
  • 045c4ab485bd45781234451af0eae62f23abceae375d5434cff37c3e5620f872
  • 0210051eff91fe9393d24f213da566d0b06b8ea7796413b5fd27e75125967850
  • b16b16119e0f36b7ab63291218c256980f4c743dcf4dee657bbd2540962de150
  • 54adc3e06b4a64254ef2cef334894e8d5259543dc6312d6f0f15ee822b73e492
  • eee144531839763b15051badbbda9daae38f60c02abaa7794a046f96a68cd10b
  • 637b66dcfb65e1bcd5943d4a36bb16b3e493f2eb14a3157a3e603210bcfd9685
  • 27941d5b5934712bc254135f489eecc2
  • 408cfa20ee4e033e004e2994a156a9b2
  • f1ab1fa6d2b93ae55b448b96733ff195

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Advisory – CVE-2016-1409 – Cisco Products IPv6 Neighbor Discovery Crafted Packet Vulnerability

Severity

High

Analysis Summary

The vulnerability is due to insufficient processing logic for crafted IPv6 packets that are sent to an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.

Impact

Denial of Service

Affected Vendors

Cisco

Remediation

Please see vendor’s advisory for more details and for the list of affected products.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6


Rewterz Threat Alert – Phishing Attack Targets The Guardian’s Whistleblowing Site

Severity

Medium

Analysis Summary

The Guardian’s SecureDrop whistleblower submission site was targeted with a phishing page that attempted to harvest the unique “codenames” for sources who submitted information using the service. In addition, this phishing page promoted an Android app that allowed attackers to perform a variety of malicious activity on a victim’s device.

Real The Guardian SecureDrop Site

When a source wishes to submit confidential information to the media outlet’s journalists, they receive a codename that can then be used for further communication. This codename is meant to be private as anyone who knows it can see the source’s past communications with journalists.

Example SecureDrop Codename

Once the attackers gain access to a source’s codename, they can then login with it on The Guardian’s real SecureDrop site and impersonate the source and steal information and communications.

Impact

Exposure of sensitive information

Affected Vendors

The Guardian

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.


Rewterz Threat Alert – InnfiRAT Malware Steals Litecoin And Bitcoin Wallet Information

Severity

Medium

Analysis Summary

As with just about every piece of malware, InnfiRAT is designed to access and steal personal information on a user’s computer. Among other things, InnfiRAT is written to look for cryptocurrency wallet information, such as Bitcoin and Litecoin. InnfiRAT also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program.

Impact

  • Exposure of sensitive information
  • Financial loss
  • Credential theft

Indicators of Compromise

IP(s) / Hostname(s)

62[.]210[.]142[.]219

Malware Hash (MD5/SHA1/SH256)

f992dd6dbe1e065dff73a20e3d7b1eef

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Ordinypt Malware Hitting Germany in New Spam Campaign

Severity

High

Analysis Summary

A new spam campaign is underway that pretends to be a job application from “Eva Richter” who is sending her photo and resume. This resume, though, is actually an executable masquerading as a PDF file that destroys a victim’s files by installing the Ordinypt Wiper.

Ordinypt is a destructive malware commonly targeted at German people that pretends to be ransomware that encrypts your files and then demands victim’s pay a ransom to get their files back. Unfortunately, even if a user pays the ransom, the files have been overwritten with garbage and cannot be decrypted.

The ransom note goes like this:

image-1568617212.png

Impact

File encryption

Indicators of Compromise

Filename

Eva Richter Bewerbung und Lebenslauf.pdf.exe

Malware Hash (MD5/SHA1/SH256)

24de0b9eb94e6f80fcd9078112015a92d9c42cec889452f069447af461edd7ff

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Lokibot Malware – IoCs

Severity

Medium

Analysis Summary

New campaigns have been discovered distributing the Lokibot malware. Successful infection could lead to exposure of sensitive information or credential theft.

Indicators of Compromise are given below.

Impact

  • Exposure of sensitive information
  • Credential theft

Indicators of Compromise

URLs

  • masterworkhanger[.]com
  • mbfgq[.]ml
  • kilangsprcoket[.]tk
  • ottappalam[.]com
  • senseint[.]info
  • zjvvymy[.]com
  • svmarketingindia[.]com

Malware Hash (MD5/SHA1/SH256)

  • 4cafc9c21777f45e71b99eed2e8c32d0
  • 59a6634dac5784e9c70b60dc883de450
  • 02a98d152a3268aac6768c54f0c02c62
  • 4bcddae7e86cd55de4aae6085888e279
  • 7843a4b9aadf3f08c436135f34af49ba
  • c1b4c14fe03324c8ab0a722385989939
  • 13ad7ddf933dffaa712fc64ef2b74468
  • b460d3be0d27957121a432e8009e7de5
  • 38e11aebd5e95bf82b9d627d66269377
  • 0ef2e343f5232c17f791fe2f2730012d00b7f40bc82282efbfa77962f12748be
  • c4da40afbc3430b9b49ef3924db02430bb2ad09dc4618a14c84872facccd9988
  • bd2b49d360f37c693e142c00f68ae5a7b54be7d956345d6e1ff50df93e3af657
  • 384ed052079e47c7a55733c0637e9b8d63f6ad3bdcf089bbd43d11cab9a48d30
  • 5a04e8f645ee5136495045390d636e069d96d8633a9e57b31a26646885cf645c
  • 1c6d5012ee66e75ea497002c2fcbf4dfabe3bc4a8a69c7db4b1b0f544559754a
  • b8358a9c3b3e135d18b79ff70c02b3f5440fe95caf7daf3a3e0c80905f49a28d
  • 2658fd6b1d51aed64ce60125665fe6cc882b4c128011ed1e0453c0f96f8badd9
  • 94b7ac08562f1099d6ae6a3179b9c145e3e434f2927011ec8edbac8271ca3b98
  • 259659de016261568c4842b8b414d66807143093
  • 9da5971927381e592f9bf56389a9b6c86cf08990
  • a71016d0e5e03c6203e1532f339285544ddb1787
  • bc4e9c32a84b0d46f9ecd94ffdf7abb2ec77e019
  • 7c5d10de145763e287d0cfc825eb53a0d4790dd8
  • 78a3cc5eec2643d2805a5aeef35a56f2458c654d
  • fe934f2dd47639d9ba07d81d8250c38cc0d88073
  • 79d01f3aa542903cfaa676e5e3ab4b988c766425
  • 82a427b4039d1755a82b9eef6cbf71f366817ed0

Remediation

  • Block the threat indicators at their respective controls.
  • Do not execute files without scanning.
  • Do not download email attachments coming from untrusted sources.

Copyright © Rewterz. All rights reserved.