Rewterz Threat Alert – Microsoft Detects New Evil Corp Malware Attacks on Financial Institutions
January 31, 2020Rewterz Threat Alert – Spamhaus Phishing Scam Delivers Ursnif Malware
February 3, 2020Rewterz Threat Alert – Microsoft Detects New Evil Corp Malware Attacks on Financial Institutions
January 31, 2020Rewterz Threat Alert – Spamhaus Phishing Scam Delivers Ursnif Malware
February 3, 2020Severity
High
Analysis Summary
FireEye tracks a threat actor named APT36 AKA Lapis, a Pakistan based Cyber Espionage group that supports Pakistani military and diplomatic interests targeting Indian Military and government with malware named SeedDoor. Similar group has been tracked by Crowdstrike by name MYTHIC LEOPARD since 2016. However, Crimson RAT was previously used by Pakistani Threat Actors Transparent Tribe. Recently, a revival of Crimson RAT campaigns has been detected. The attackers using phishing emails to deliver malicious files. The file is malicious Microsoft Office Excel documents that leverage CVE-2017–0199 vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit.
The attack flow is given below:
- Excel file leverages CVE-2017–0199 vulnerability to run powerShell script.
- PowerShell script downloads executable from newsupdates[.]myftp[.]org.
- Executable connects to bjorn111[.]duckdns[.]org.
- Threat is identified as Crimson RAT (ETPRO TROJAN MSIL/Crimson Receiving Command)
CVE-2017–0199
The current description for this vulnerability by the National Vulnerability Database is:
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.”
Impact
- Complete Information Disclosure
- Integrity compromise
- Resource shutdown
Indicators of Compromise
Hostname
- newsupdates[.]myftp[.]org
- bjorn111[.]duckdns[.]org
MD5
- 69d4883858b44f0c41ba68493c389885
- aadd8b496d887a1c8ef1b0ad944d5ed6
SHA-256
- 6e0ba1b2e72d9a0682d1cdd27eea3980da04582bdef0080bf22f8809d172e229
- d27474625cdc0c3456918edfa58bfaf910c8b98c6168a506ac14afc1a41fb58f
Source IP
- 108[.]62[.]12[.]134
- 160[.]20[.]147[.]59
Remediation
- Block the threat indicators at their respective controls.
- Update Microsoft Office to latest versions patched against CVE-2017-0199.
- Do not respond to untrusted emails.