Archive for category Threats

Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware

Severity

High

Analysis Summary

The cybercrime group that launched the Satan, DBGer and Lucky ransomware and perhaps Iron ransomware recently introduced a new version or rebranding named “5ss5c”. This version of the ransomware adds EternalBlue exploit and new functionalities.

It will download and leverage:

  • Spreader (EternalBlue and hardcoded credentials)
  • Mimikatz and what appears another password dumper/stealer
  • The actual ransomware

Indicators of compromise are given below.

Impact

  • Files Encryption
  • Credential theft
  • Information theft

Indicators of Compromise

From Email

5ss5c@mail[.]ru

MD5

  • e56b28203a66d88da2c951c9b47fb2c0
  • 8accffa5e7d5b14ee8109a8f99c72661
  • 756b6353239874d64291e399584ac9e5
  • ba008ae920251f962fdc0f80c27dd975
  • dc646bdbe28b453ba190a6356959d028
  • f56025565de4f53f5771d4966c2b5555
  • dfc0966397adcd590a4fba85d16bccf6
  • 0f371453cdab407283e2723b0c99c2f5
  • 680d9c8bb70e38d3727753430c655699
  • 853358339279b590fb1c40c3dc0cdb72
  • 09d45ae26830115fd8d9cdc2aa640ca5
  • 01a9b1f9a9db526a54a64e39a605dd30
  • ca3c0851c7451fc34dc37c2c53e2f70a

SHA-256

  • 47fa9c298b904d66a5eb92c67dee602198259d366ef4f078a8365beefb9fdc95
  • 8e348105cde49cad8bfbe0acca0da67990289e108799c88805023888ead74300
  • ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41
  • af041f6ac90b07927696bc61e08a31a210e265a997a62cf732f7d3f5c102f1da
  • a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f
  • ea7caa08e115dbb438e29da46b47f54c62c29697617bae44464a9b63d9bddf18
  • e685aafc201f851a47bc926dd39fb12f4bc920f310200869ce0716c41ad92198
  • 68e644aac112fe3bbf4e87858f58c75426fd5fda93f194482af1721bc47f1cd7
  • ddfd1d60ffea333a1565b0707a7adca601dafdd7ec29c61d622732117416545f
  • ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c
  • cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de
  • 9a1365c42f4aca3e9c1c5dcf38b967b73ab56e4af0b4a4380af7e2bf185478bc
  • 23205bf9c36bbd56189e3f430c25db2a27eb089906b173601cd42c66a25829a7

Source IP

  • 58[.]221[.]158[.]90
  • 61[.]186[.]243[.]2

URL

  • http[:]//58[.]221[.]158[.]90[:]88/car/cpt[.]dat
  • http[:]//58[.]221[.]158[.]90[:]88/car/down[.]txt
  • http[:]//58[.]221[.]158[.]90[:]88/car/c[.]dat

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not click on URLs attached in untrusted emails.
  • Maintain a backup for all files.

Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims

Severity

High

Analysis Summary

Emotet has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks. Emotet sample leverages a “Wi-Fi spreader” module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them. This module has been running “unnoticed” for around two years. The development marks an escalation of Emotet’s capabilities, as networks in close physical proximity to the original victim are now susceptible to infection. The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords. The worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It’s not immediately clear how this list of passwords was put together.

Emotet malware cybersecurity

If the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource. Successful brute force then leads to next phase by installing malicious payloads — called “service.exe” — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService). In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Impact

  • Infection of Wi-Fi networks
  • Unauthorized Access

Indicators of Compromise

Source IP

  • 87.106.37.146
  • 45.79.223.161

Remediation

  • Block the threat indicators at their respective controls.
  • Implement very strong passwords for wireless networks.

Rewterz Threat Alert – Cracked Software Used to Distribute Malware

Severity

High

Analysis Summary

Cracked software is being used in a campaign to distribute multiple instances of malware that have estimated infected some half a million systems. Allegedly cracked versions of software are being used in a campaign to install malware, most of which has been stored on a public code repository platform under a number of different accounts. According to an estimation in a report from Cybereason, a half a million machines may have fallen victim to this campaign. When a victim installs one of the cracked versions of software, they are first infected with the Azorult information stealer. Next, Predator is installed and it downloads further malware from the repository which may include Evasive Monero, an XMRig dropper, STOP ransomware, the Vidar information stealer, the Amadey Trojan, and IntelRapid which is used to steal cryptocurrency. The copies of malware used in the campaign are regularly updated and are packed using Themida. Azorult gains additional layers of obfuscation through the use of the CypherIT Autoit packer.

Impact

  • Information theft
  • Crypto mining
  • File encryption

Indicators of Compromise

SHA1

  • 6867fc8f25917cddf71972062ae84cdacd6fa032
  • d4c9acb0b43bd781da814185b416a1e2ee567bee
  • 604915d2a84b2d7e5c7f79b22cb69b5e40fe1e11
  • 5f888077693a4d8ae4759308c8da17479504a8d2
  • ae43e07e4a9441b87107f1368504b0bb9b17ff71
  • 632e4536e2db2404719c236dd446015c5011f78e
  • 3ffdc296d09d67abe1dfd996819e9571337a3c44
  • 9f83602650976a8daad1472bc3e61e499e47a016
  • 0acdf3dc8cdf0335daf777d089a3540fe71879f1
  • 0ae46b0b29eaa8f2c747e8bc1a4cfd1eae365aa3
  • 4303886bf2849c68705605da5dc1afb806b027e0
  • 5e2f7d83b38fc69daabb67ee3e57eabd3c1a65d1
  • b3d1960cd1157f40a7b657dbcfcb0b1564dea897
  • 8f15a8540276f348f4b005ed7f9f845dd8b77dd6
  • bc6285a27f9fd9bebdd73d73304e983d793890e0
  • fd85424f384d50ee9e97da451656dc79c1d4e990
  • 50606144914112771ab85ce5c9c0246ebeff863e
  • e4d0cd1f501ede1a36150994c19c5a7fb5068dc8
  • a59b82c95cb647eec203b4d85fdad05723fe8c09
  • ac837b1f817328dd305dfd8a816b7d299cea2cf3
  • 977e7b8eb59354d40d2f2b90517545c317afe073
  • 10747eeb6a3cce36a9e43cce17969ea4d5c10312
  • b22e831e1d919f18de9e577cd18f213506c9f238
  • a58e0d93ecd8e7c47af16ee2db8be572d38b26e9
  • 2a03d33f991500caa4cbe1994c9f140f669da029
  • 83678894e33be31ed7d6aa2f20fd7893f2f75d32
  • ca1c80e01d3b0ca5e7386bb7fc308c8c63f1fcd8
  • f2593ce87aec9c315358973de20095f69cf819cf
  • af2271a14012e211645212dd5a00ea858b8c2205
  • da6ae9f9add3e3f9bb14cc16566c21b9e5f0fea1
  • 3c4c87024bf8922b891a419462c77cb0fe9fd7a9
  • 8ae1139eb29ddffab776d5d45583d7571bae547e
  • fc789f20c3a199838b3134f8eea4afd4addf86be
  • f7480eba9cba7b6832748578c5b543c56affb4bd
  • 5e40387fade13745d66d47a4cdfabc2a11bea124
  • ff3c981cea754b943c9911db190eef423b713b29
  • 97ed18de45b7e32646afb767edc99ba71f12fa9c
  • da06eeefd108d27efc6ea7b579345b85c21509bd

URL

  • https[:]//bitbucket[.]org/CurtisHedman/profile/repositories/
  • https[:]//bitbucket[.]org/joegraham119/repo/downloads/
  • https[:]//bitbucket[.]org/kevinhynes/first/downloads/
  • https[:]//bitbucket[.]org/Inter577/inter/downloads

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Espionage Campaign targeting Malaysia Government Officials

Severity

High

Analysis Summary

Researchers observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group. The group motives is believe to be data theft and exfiltration. The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails. The delivery method was sending spear-phishing emails with malicious attachments although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO) asking users to enable macro of Microsoft document with that extract malicious exe to download loader.

Impact

  • Data breach
  • Exposure of sensitive information

Indicators of Compromise

MD5

  • 4114857f9bc888122b53ad0b56d03496
  • 6889c7905df000b874bfc2d782512877
  • 7233ad2ba31d98ff5dd47db1b5a9fe7c
  • 3c43eb86d40ae78037c29bc94b3819b7
  • 89a81ea2b9ee9dd65d0a82b094099b43
  • cf94796a07b6082b9e348eef934de97a
  • 4c47ca6ecf04cfe312eb276022a0c381
  • f744481a4c4a7c811ffc7dee3b58b1ff
  • ae342bf6b1bd0401a42aae374f961fc6
  • 5fe8dcdfe9e3c4e56e004b2eebf50ab3
  • 3cb38f7574e8ea97db53d3857830fcc4
  • 3ca84fe6cec9bf2e2abac5a8f1e0a8d2
  • 8a133a382499e08811dceadcbe07357e
  • a827d521181462a45a7077ae3c20c9b5
  • fe1247780b31bbb9f54a65d3ba17058f
  • b427c7253451268ca97de38be04bf59a
  • 4c89d5d8016581060d9781433cfb0bb5
  • 6e9f0c3f64cd134ad9dfa173e4474399
  • d81db8c4485f79b4b85226cab4f5b8f9
  • 01b5276fdfda2043980cbce19117aaa0

SHA-256

  • fce38b7bb25817ccaf921d5ac96f4e6c9b865fbe020204af5cf34b604868d1fa
  • 4b0a9cbd861b67ad54cab8b46941212bfd1bf1943c7b9942d545a144ffcd5da6
  • f3186dafca8b032f5b942d81b66d3ab631dc41463d3c8d319f1a0a374f809cdf

URL

  • http[:]//152[.]89[.]161[.]5/mpsvc[.]txt
  • http[:]//139[.]162[.]44[.]81/main[.]dotm
  • http[:]//207[.]148[.]79[.]152/main[.]dotm
  • http[:]//167[.]99[.]72[.]82/main[.]dotm
  • http[:]//159[.]65[.]197[.]248/WinWord[.]dotm
  • http[:]//152[.]89[.]161[.]5/msmpeng[.]txt
  • http[:]//195[.]12[.]50[.]168/D2_de2o@sp0/
  • http[:]//dynamics[.]ddnsking[.]com/Word[.]dotm

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders

Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs

Severity

High

Analysis Summary

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language and click baits like “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies. A fresher campaign is discovered distributing both the Emotet and the Trickbot malware. Indicators of compromise are given below.

Impact

  • Credential theft
  • Exposure of sensitive information
  • Unauthorized Remote Access

Indicators of Compromise

MD5

  • 1044750deccfe551caff847a98eb4b17
  • 9ee1b22b752f25be9182a5d04cf90b3c
  • c17722b468222c45bab8e6cdc83b0748
  • 6b8ba6c385b150bf788faea38b3bf6d8

SHA-256

  • 4ebe60b05162d6264ec0034d02e3ab01e062510a0f4344abbdc17524242d9a73
  • 2a1fd547e8236424e46fa2482d3db48dc7de8e6efe84397ccc9582055e268e69
  • 061dae2be3b5b2bf9c7fc9a16a92d6031e5dbda377b97e9f7371598ac67593f1
  • 72a7981d188c5f8cfc12ea991cb8a4e968993cb63a9fedda6616766e0d2ee6d0

Source IP

  • 51[.]159[.]23[.]217
  • 66[.]85[.]173[.]43
  • 193[.]26[.]217[.]243
  • 71[.]126[.]247[.]90
  • 164[.]68[.]120[.]56
  • 64[.]71[.]35[.]51
  • 187[.]190[.]47[.]173
  • 188[.]227[.]84[.]209
  • 45[.]79[.]223[.]161
  • 91[.]236[.]4[.]234
  • 172[.]221[.]229[.]86
  • 123[.]31[.]31[.]47
  • 203[.]176[.]135[.]102
  • 98[.]239[.]119[.]52
  • 120[.]151[.]194[.]117
  • 195[.]123[.]219[.]69
  • 195[.]123[.]240[.]37
  • 80[.]86[.]91[.]91

URL

  • http[:]//msek[.]lviv[.]ua/wp-includes/report/
  • http[:]//msek[.]lviv[.]ua/
  • http[:]//ingarden[.]lviv[.]ua/

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments from untrusted emails.

Rewterz Threat Alert – Iranian Campaign Tailored to US Companies Introduces TONEDEAF 2.0

Severity

High

Analysis Summary

APT34 (also known as OilRig or Helix Kitten) is a cluster of Iranian government-backed cyber espionage activities that has been active since 2014. The group is known to target various international organizations, mainly in the Middle East. Among their targeted industries are government agencies, financial services, energy and utilities, telecommunications, and oil and gas. In late January 2020, a file named survey.xls was discovered that was designed to look like an employee satisfaction survey tailored to either Westat employees or Westat customers. At first the spreadsheet appeared to be blank. Only once the victim enables macros, the survey is displayed to the user and the malicious VBA code begins to execute.The embedded VBA code unpacks a zip file into a temporary folder, extracts a “Client update.exe” executable file and installs it to “C:UsersvalsClient update.exe”. “Client update.exe” is actually a highly modified version of the TONEDEAF malware, which is named TONEDEAF 2.0. Finally, the crtt function creates a scheduled task “CheckUpdate” that runs the unpacked executable five minutes after being infected by it, as well as on future log-ons.

Impact

  • Unauthorized Code Execution
  • Detection Evasion
  • Information Theft

Indicators of Compromise

Domain Name

manygoodnews[.]com

Filename

  • Client update[.]exe
  • survey[.]xls

MD5

  • 17150a137c43235ad07011b552f9ff27
  • b15552213169ad3b8efb14470987a335
  • 51e362e8dc8d5ed7228af47ed913242a
  • 8beb7bb883a091d2690982d9d46d3bb4
  • e2fc67d5572f66f92c21a9d95a4df2d0

SHA-256

  • c10cd1c78c180ba657e3921ee9421b9abd5b965c4cdfaa94a58e383b45bb72ca
  • a897164e3547f0ce3aaa476b0364a200769e8c07ce825bcfdc43939dd1314bb1
  • d61eecd7492dfa461344076a93fc2668dc28943724190faf3d9390f8403b6411
  • 20b3d046ed617b7336156a64a0550d416afdd80a2c32ce332be6bbfd4829832c
  • 4c323bc11982b95266732c01645c39618550e68f25c34f6d3d79288eae7d4378

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files/click on URLs attached in untrusted emails.
  • Do not enable macros for files coming from unverified sources.

Copyright © Rewterz. All rights reserved.