Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
January 20, 2020Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
January 20, 2020Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
January 20, 2020Rewterz Threat Alert – Iranian APT Group “MuddyWater” Resurfaces
January 20, 2020Severity
High
Analysis Summary
STOP (djvu) was one of the most active and widespread versions of ransomware in 2019. STOP was first used aggressively in campaigns in 2019, even though it had been around for about a year. Continuously changing its extensions and payloads has helped it evade detection. Its encryption techniques also continue to improve. Earlier versions of the malware, where the key was not generated by its command and control servers, were easier to recover the files. In current versions, decryption is more difficult. Delivery of the malware has been through cracked programs, keygens, activators, fake setup programs, and fake Windows updates. To avoid infecting victims in specific countries, STOP did not use local information, such as keyboard layouts and timezone settings, but rather it uses the information returned by a request sent to https[:]//api.2ip.ua/geo.json. Persistence is achieved through a scheduled task. The MAC address of the ethernet card is used as the basis of a unique identifier for the system. This identifier is sent to STOP’s command and control server when then returns a RSA-2048 public key to be used in the encryption. Additional malware is then downloaded and installed, including an information stealer called Vidar.
Impact
- Information theft
- File encryption
Indicators of Compromise
MD5
- 290e97907e5be8ea72178414762cd846
- 5b4bd24d6240f467bfbc74803c9f15b0
- 74a9a644307645d1d527d7d39a87861c
- 959b266cad13ba35aee35d8d4b723ed4
- 9ee3b1bcf67a63354c8af530c8fa5313
- b0a89e143babda2762561bc7576017d7
- e3083483121cd288264f8c5624fb2cd1
- f64cf802d1e163260f8ebd224e7b2078
URL
- http[:]//crarepo[.]com/
- http[:]//ring2[.]ug/files/penelop/3[.]exe
- http[:]//ring2[.]ug/files/penelop/4[.]exe
- http[:]//ring2[.]ug/files/penelop/5[.]exe
- http[:]//ring2[.]ug/files/penelop/updatewin[.]exe
- http[:]//ring2[.]ug/files/penelop/updatewin1[.]exe
- http[:]//ring2[.]ug/files/penelop/updatewin2[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.