Archive for category Threats

Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit

Severity

High

Analysis Summary

A new malvertising campaign being used on low quality web games and blogs is redirecting Asian victims to the RIG exploit kit, which is then quietly installing the Sodinokibi Ransomware. This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries. When browsing the web, the malvertising campaign will redirect users to a RIG exploit kit gateway that will attempt to exploit Flash vulnerabilities in the browser. If successful, a user will see Internet Explorer begin to crash and various alerts from the Windows Script Host as shown below.

RIG Exploit kit in Internet Explorer

This is because the exploit kit will execute a JScript command that downloads an obfuscated VBScript script. This VBScript will then download and install the Sodinokibi Ransomware, also known as REvil, on the victim’s computer. Once executed, the ransomware will begin to encrypt the victim’s files. As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished. They will then notice that they are unable to access their documents and that their desktop wallpaper has been changed to instructions telling the victim to open the ransom note.

REvil/Sodinokibi  Ransom Note

Users are advised to restore from backups if at all possible rather than paying the ransom.

Impact

Files Encryption

Indicators of Compromise

Domain Name

  • palmecophilippines[.]com
  • sppdstats[.]com
  • kryptos72[.]com
  • ruggestar[.]ch
  • vedsegaard[.]dk

MD5

  • e9075f6bb4802b4cb56eec65f2899d67
  • 610c9c5f0686dfc0fcd6d68778ce5025

SHA256

  • fba829759d359dea91db09ac8b4674237d8dbc57ec8b76a3ebf227da9ae96535
  • e7f9c0229c0874c069c2f3dcf237e1ee334ac4f9bc955be8146d07941ff35790

SHA1

  • 4c7da5878b1a233b46f5e80f748b57dba5c8d8f0
  • 3d241b2c1b201205761ce10b381727b0c7fbc24a

Source IP

  • 74[.]220.215[.]214
  • 141[.]98.199[.]99
  • 35[.]204.114[.]36
  • 92[.]43.216[.]137
  • 34[.]76.93[.]122
  • 195[.]249.40[.]199

Remediation

  • Block the threat indicators at their respective controls.
  • Do not click on random ads during web browsing.
  • Have the latest Windows updates installed, programs updated, and web applications upgraded.
  • Use latest secure browsers only.

Rewterz Threat Alert – Scammers Abusing a New Firefox Browser Lock Bug

Severity

Medium

Analysis Summary

A bug in Firefox can be triggered by sending a large amount of authorization confirmation prompts to the browser. According to BleepingComputer, this causes the visible page, in this case the scammer’s tech support page, to refuse to close. The victim’s only real choice (other than calling the scammers) is to use the Task Manager to terminate Firefox. The threat message the scammers use on their page indicates that the particular version of Windows the victim is running is pirated and has been locked, and that the system has been hacked and is spreading viruses over the Internet. The page claims that the system has been blocked for the victim’s safety. The report stated that even Chrome has been affected similarly in the past. One way to reach such a page could possibly be by visiting a fake ad link (the article suggested a fake eBay ad). 

image-1573542935.png
attachment.cgi?id=9106303

Impact

Browser lock

Affected Vendors

Mozilla

Affected Products

Mozilla Firefox

Indicators of Compromise

URL

http[:]//d2o1sv4d11x6bc[.]cloudfront[.]net/firefox/index[.]html

Remediation

Use Windows Task Manager to terminate the process associated with your browser.


Rewterz Threat Alert – Variant of Adwind RAT Targets Petroleum Sector

Severity

High

Analysis Summary

Adwind is a remote access Trojan known to evade detection upon entry and to communicate with a command-and-control server once connected. The Trojan can steal sensitive information, such as credentials, as well as spy through a user’s webcam and log a user’s keystoke activity. The new addition to the modified remote access Trojan uses multi-layer obfuscation by containing various file extensions to avoid detection, with iDefense suspecting it to be tailored specifically to this industry. The malware originated from compromised Westnet accounts.

Impact

  • Information Theft
  • Credential Theft
  • Unauthorized Access

Indicators of Compromise

Hostname

members[.]westnet[.]com[.]au

Source IP

185[.]205.210[.]48

URL

hxxp[:]//members[.]westnet.com[.]au/~

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files/software from random sources on the internet.

Rewterz Threat Alert – Titanium Malware: the Platinum group strikes again

Severity

Medium

Analysis Summary

An APT group dubbed Platinum is using a new stealthy Trojan-backdoor malware named Titanium to infiltrate and take control of their targets’ systems. The group is known for targeting governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. Platinum apparently uses local intranet websites to deliver the malicious artifacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method. The shellcode’s only purpose is of gaining an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.

After compromising a system, the malware will download the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and will make use of the legitimate cURL tool to communicate with the C2 server. The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:

• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows the attacker to receive input from console programs and send their output at the C&C

The APT group is possibly exploiting the vulnerability CVE-2019-13720 in Google Chrome.

Impact

  • Information Theft
  • Data Manipulation
  • Code Execution
  • System Takeover

Indicators of Compromise

Source IP

70.39.115[.]196

URL

  • hxxp[:]//70.39.115[.]196/payment/confirm[.]gif?f=1
  • http[:]//70.39.115[.]196/payment/confirm[.]gif
  • http[:]//70.39.115[.]196/payment/confirm[.]gif?f=2

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.

Rewterz Threat Alert – DarkUniverse APT Framework

Severity

High

Analysis Summary

In April 2017, ShadowBrokers published their well-known ‘Lost in Translation’ leak, which, among other things, contained an interesting script that checked for traces of other APTs in the compromised system.

Spear phishing was used to spread the malware. A letter was prepared separately for each victim to grab their attention and prompt them to open an attached malicious Microsoft Office document.

Each malware sample was compiled immediately before being sent and included the latest available version of the malware executable. Since the framework evolved from 2009 to 2017, the last releases are totally different from the first ones, so the current report details only the latest available version of the malware used until 2017.

The executable file embedded in the documents extracts two malicious files from itself, updater.mod and glue30.dll, and saves them in the working directory of the malware – %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Reorder.

After that, it copies the legitimate rundll32.exe executable into the same directory and uses it to run the updater.mod library.

Impact

Credentials theft

Indicators of Compromise

MD5

  • 1addee050504ba999eb9f9b1ee5b9f04
  • 4b71ec0b2d23204e560481f138833371
  • 4e24b26d76a37e493bb35b1a8c8be0f6
  • 405ef35506dc864301fada6f5f1d0711
  • 764a4582a02cc54eb1d5460d723ae3a5
  • c2edda7e766553a04b87f2816a83f563
  • 71d36436fe26fe570b876ad3441ea73c

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Emotet Malware – IoCs

Severity

High

Analysis Summary

Emotet is a Trojan that is primarily spread through spam emails (malspam). The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails may contain familiar branding designed to look like a legitimate email. Emotet may try to persuade users to click the malicious files by using tempting language about “Your Invoice,” “Payment Details,” or possibly an upcoming shipment from well-known parcel companies.

Emotet has gone through a few iterations. Early versions arrived as a malicious JavaScript file. Later versions evolved to use macro-enabled documents to retrieve the virus payload from command and control (C&C) servers run by the attackers.

Impact

Financial loss

Indicators of Compromise

SH256

  • 19af5bfb8decc32253875836c39031a7e8258d167af7d0332527d0bcecb0c2b2
  • 1a762540a795a8daa194322648a2d0072ed65da6e961989b284c31cb57f68405
  • 226a36d5c22d1222e1a29d9b1eb8a072e39c5901c7b34654dc303ee6aa19f577
  • 252dc0a071edf76775a0a954287fc0cc7ebb45e6f6849f210f747027d5cdeaf1
  • 47699a9bb49acddb8c3ccc90dd7059d9677c2337878972d289fe8b656d44119d
  • 56524c7f2264ebf2f309fc400eac6016df092c75c6871669d141fcab966fdb10
  • 66f0b3b78d41b0164d680f850808ae9133b8f01746662292209aa32588e5db08
  • 872e9f66d27895a16d84e9c2ab50708693dd85ae47ad01ccd62b884bfbb2ad56
  • a35c5cd847e920a0655e99c9886aab94c91a190b3d0ef81d077e91840aa7c17b
  • a3f8cb08735b481402bbe20ac0b2acfb827feac8f62d9d37db3aee0ae03c826f
  • a9b18b8eb2f84bac3e831bcead88b525e623e0a3b7c71fc54130b99b3c12969f
  • b6e62040ec8b2a92762f654d7f561c761235d6cb688e476c45e96b5355154759
  • cb1418e28836dca5fb61a788ce324e9e4d1c3b1e4de6cdada721786f4ea8e12c
  • e6d81855312d026966d95dd51dc09a23fa743d21bb2edb4f8943d767fff54a25
  • eaa809f6ebdc3ddceba5b7d61bfe29db87f098a4c7bec05243c59df51406dfa1
  • ffa68a8f6da85239d67cc3900d6ec7c573ae607cd9061389b260c2f5034dd4a0

URL

  • http[:]//altruisme[.]id/wp-admin/vZKnZqjMqsPuwinXFnaBOzVfQe/
  • http[:]//apple-doctor[.]co[.]kr/wp-includes/57ue8yxbj9cnltpw79ovgprc79mcgfwrg3g/
  • http[:]//blog[.]nalanchenye[.]cn/sjnx/ev7j3w2wuzw9c06sfnsl1pkxomci0k8tx/
  • http[:]//blog[.]yaobinjie[.]top/wp-admin/97e4bgd1ipa2xkuy2nmk5ebueof2rugff7/
  • http[:]//garatuonline[.]es/wp-admin/ayr56gh65xnuncin8l0ddkngn0gkt2/
  • http[:]//giftcatelogz[.]com/wp-admin/cb10wpgm89ysnysitilbbd084/
  • http[:]//jftwebmarketing[.]com/mcc/yrjdo5ui3iuvfcu9e1svri/
  • http[:]//korekortviborg[.]dk/wsxq66h/mnWlDLjshjGVzx/
  • http[:]//mynet07[.]com/wp-admin/bFEYqYEGLBypImyyjc/
  • http[:]//nirvana-memorial[.]co[.]th/cgi-bin/ih929uqqn27650xrm/
  • http[:]//puskesmasmanguharjo[.]madiunkota[.]go[.]id/hfoiawj24jr/zUbarcSMvgXc/
  • http[:]//quangcaogiaodich[.]com/wp-content/upgrade/jzkowiu4uobwywynyj7/
  • http[:]//sabzoabi[.]ir/abiosabz[.]ir/mj4qdtd83jid8ibxg9awoe/
  • http[:]//shreeharisales[.]org/wp-admin/oLJDQSyjhXrWuCkCUhpHETW/
  • http[:]//test[.]oeag[.]at/lare/xzfjglc0ygmm5869qhjlbil/
  • http[:]//www[.]awardglobal[.]cn/gsae9da/98ner0e6ynm8wp4jkyrnm4sixrufzjkddvg9/
  • http[:]//www[.]cyberoceans[.]ng/cgi-bin/5aua6r6yif7oi2adx2uvh3bq459429hape6ju/
  • http[:]//www[.]digitalsushi[.]it/wp-admin/MQlQnlzmtaX/
  • http[:]//www[.]dolphininsight[.]it/wp-includes/wIAxwfTVtpEDixSmDMrVE/
  • http[:]//www[.]dty5[.]com/aqs2q/i0vzxgxwb2qyiwopfw5x0xghz86b1/
  • http[:]//xe-logistics[.]com/san/lba70p8gsncc1fi4wy3cwugxbjrk/

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Copyright © Rewterz. All rights reserved.