Archive for category Threats

Rewterz Threat Alert – Two Malspam Campaigns Detected

Severity

Medium

Analysis Summary

Two separate Malspam campaigns have been detected. 

One of the campaigns is a Paychex Themed Malspam dropping the Trickbot malware.

The other one is a Swift themed malicious Loki-ISO Malspam campaign.

Email subjects have been retrieved and given below.

Impact

Trickbot

Loki-ISO

Indicators of Compromise

Email Subject Payment Swift Copy FYR
RE: Tax verification documents

Remediation

Scan for the given email subjects. If found, block the sender’s IP, Email Address etc.  


Rewterz Threat Alert – Pots Ransomware Campaign – IoCs

Severity

Medium

Analysis Summary

Discovered in January 2019, this ransomware is seen affecting Windows in multiple attacks. Ransom.Pots is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt them. It appends its extensions after the encrypted file names and leaves a ransom note with instructions to be followed for the decryption procedure. 

When the Trojan is executed, it creates the following files:

  • %AppData%\[GUID]\1.exe
  • %AppData%\[GUID]\2.exe
  • %AppData%\[GUID]\3.exe
  • %AppData%\[GUID]\updatewin.exe
  • %AppData%\script.ps1

The Trojan also creates the following file in all folders where it encrypts files:

  • [PATH TO MALWARE]\_openme.txt

The Trojan creates the following registry entry so that it runs every time Windows starts:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”SysHelper” = “”%AppData%\c76335f4-3ef1-46c4-a9e2-49f4d190a4f3\[MALWARE NAME]” –AutoStart”

The Trojan also creates the following registry entries:

  • HKEY_LOCAL_MACHINE\software\Policies\Microsoft\Windows Defender\”DisableAntiSpyware” = “1”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\”DisableTaskMgr” = “1”
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\”ExecutionPolicy” = “RemoteSigned”

Next, the Trojan executes the following file to disable Windows Defender’s real-time monitoring:

  • %AppData%\script.ps1

The Trojan also executes the following file to modify the hosts file:

  • %AppData%\[GUID]\2.exe

Indicators of compromise are given below.

Impact

Pots Ransomware

Files Encryption

Indicators of Compromise

IP(s) / Hostname(s) 127[.]0[.]0[.]1
bana911[.]ru
morgem[.]ru
URLs bana911[.]ru
grovyroet[.]online
hxxp[:]//bana911[.]ru/004/get[.]php?pid=6D27C36D808D643FFA69ACAEFF8AD4B1
hxxp[:]//bana911[.]ru/004/get[.]php?pid=8585BA8504C2EBE0D147EFFF1E60C5C7
hxxp[:]//bana911[.]ru/1[.]exe
hxxp[:]//bana911[.]ru/2[.]exe
hxxp[:]//bana911[.]ru/666666/get[.]php?pid=2485E9F082250E269EA0EF635E0D382D
hxxp[:]//bana911[.]ru/6666662323232/get[.]php?pid=2E0A56D692DB85ABBAFDB89C7340910A
hxxp[:]//bana911[.]ru/66666623232329988/get[.]php
hxxp[:]//bana911[.]ru/66666623232329988/get[.]php?pid=854A7AB3FE26B183822D6FDA75462A8C
hxxp[:]//bana911[.]ru/xxx233232/updatedwin[.]exe
hxxp[:]//bana911[.]ru/xxx233232/updatewin[.]exe
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=46662869E203E1189EE9E31C6EDF75B7
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=753292965DBD0DCF5668ACA7E107EEB9
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=9A952F08347B2468D7D2AB96FD55E680
hxxp[:]//grovyroet[.]online/66666623232329988399/get[.]php?pid=CFB9E1D13F3511F732BB484410812F00
hxxp[:]//grovyroet[.]online/xxx/2[.]exe
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=%5Bmachine_id%5D
hxxp[:]//morgem[.]ru/cgi-sys/suspendedpage[.]cgi?pid=C338CC1F2EED1FBC1FA98988C16CD4BE
hxxp[:]//morgem[.]ru/test/get[.]php?pid=BA6B0E094A69F421C5A8CA214C57FA05
hxxp[:]//morgem[.]ru/test2/get[.]php?pid=6C607A125012B48A10CA4C9FBCDA0EF6
hxxp[:]//morgem[.]ru/xxx/2[.]exe
hxxp[:]//morgem[.]ru/xxx/3[.]exe
hxxp[:]//morgem[.]ru/xxx/39[.]exe
hxxp[:]//morgem[.]ru/xxx/updatewin[.]exe
hxxp[:]//mx[.]rosalos[.]ug//asdsfsghtyuAssdffgASdYDIUysiySdtfyewy73465o7yafihduaouirty7old/
hxxp[:]//mx[.]rosalos[.]ug//kuaofkzmdjhfqeoruSDIhfvbSdew66sdjfvsjHweuywoafhdjSdhfbuntuold/
hxxp[:]//rosalos[.]ug/kuSidwkKSdjnVjdnYDfSDfCJSDoiSDfpkSfFUISDASdJSHdubuntuold/get[.]php?pid=8191A331D30AB3860E4E30ACD8643907
hxxp[:]//rosalos[.]ug/trtasdgvgpoidfg87gs7df754ad4asdxzffdfasdfreer/update[.]exe
hxxp[:]//rosalos[.]ug/YTtyusdftsGHJBVxcvxcvRT98789old/get[.]php?pid=4EB8EBDDCA3D4FC9135AEBD602FB7A00
rosalos[.]ug
Filename 0A80000.ex
dump-2228224.mem
315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f.bin
44DE.TMP.EXE
1.exe
updatewin.exe
2.exe
Copy of _00920000.mem9
Extension .djvu
.rumba
.tfudet
.tro
Malware Hash (MD5/SHA1/SH256) 24e781ea90b71c782164d998006a050d88e6dc040b30b34ad6229f7a51f4c7eb
a78ccb4babd8f76e17366e0c34c9cc9d
2bae2122ae0e4b3f61132ad93d109f6a17171fc0b82286d23d1103cc115ecc81
9840be8b3721f996afcaf27c76120e4e
315e6ed36fd5953de34b5486f92c5eb135ac32c06789971be3a21a61fce7dc7f
7aa8eb034a46d81d86f7abd6342b0923
48586462fb24005bcf8139ac2a8af0873b9bb99cb544fccaa24ac124c099beb9
734210184c461f58f6983644b1cb0c87
4f6d6e3f4e722f276ba448373ca4012e2436e3fdc38b5eb6edf453b6abec662b
2479673beacb567ed2a8885d435de40e
6966599b3a7786f81a960f012d540866ada63a1fef5be6d775946a47f6983cb7
dcb9cb3abc689f8c0eb39af6429c1c2f
6b9d282c01a5b20bea3183bf71ff8d2f97f0f7313ba57ce833a7b0418cf519c3
a72199bf14763fff60dd2b50e3d9a081
74949570d849338b3476ab699af78d89a5afa94c4529596cc0f68e4675a53c37
44fbfadb6a088da850f521dd8b783344
91a1122ed7497815e96fdbb70ea31b381b5243e2b7d81750bf6f6c5ca12d3cee
4009ee32ad44697619cee80616220782
b22a4ee6962714dad7adda4f93d1281185c1e2c8eabb1ba09725cb4cdedc550a
31977515894aad33f8e07f7d7fbf3cf7

Affected Products

Windows

Remediation

Block the threat indicators at their respective controls. 


Rewterz threat Alert – SpeakUp Malware Infecting Linux Devices

Severity

Medium

Analysis Summary

The primary purpose of the SpeakUp malware appears to be to spread Bitcoin miners to as many Linux devices operating on the public Internet as possible, for financial gain via Bitcoin mining.

Impact

  • Malware infection.
  • Exposure of sensitive information.
  • Execution of shell commands. 

Indicators of Compromise

IP(s) / Hostname(s) 143.95.250[.]212
5.196.70[.]86
5.2.73[.]127
67.209.177[.]163
URLs linuxservers.000webhostapp[.]com
linuxsrv134.xp3[.]biz
speakupomaha[.]com
Malware Hash (MD5/SHA1/SH256) 2c08897bcd51cb5cd6a86a72186b2c6c4a1a7a632bdc40998e724a237c8a45af

Affected Vendors

Linux

Remediation

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.

Rewterz threat Alert – Malspam NanoCore RAT Malware – IoCs

Severity

Medium

Analysis Summary

Nanocore rat malware is actively being spread through  different phishing campaigns and is dropping malicious url’s. Threat indicators are provided.

Impact

Malware infection

Indicators of Compromise

URLs helvitlukakusing.duckdns[.]org
normaluksinga.duckdns[.]org
hxxps://sibatp[.]net/brazil/home.php
Email Address celsoborba[@]mevepi.com[.]br
lynnette[@]c2ccollection[.]com
Malware Hash (MD5/SHA1/SH256) 5d1961d67ac73cb1690436625c0de4b4
7d4bc9c2b946c5eec044fa6d3902dfe4

Remediation

  • Block threat indicators at your respective controls 
  • Always be suspicious of the emails sent by unknown senders 
  • Never click on the links/ attachments sent by unknown users/senders

Rewterz threat Alert – Nymaim Malware – threat Indicators

Severity

Medium

Analysis Summary

Nymaim Malware has been spread through different phishing emails and dropping malicious url’s through .exe files and .docs files. 

Impact

Nymaim malware infection

Indicators of Compromise

IP(s) / Hostname(s) 209.141.61[.]249
49.51.137[.]228
URLs feustegeh[.]com
jestowendo[.]com
Filename (Vicky_Linsey_Resume.doc)
(Vicky_Linsey_Resume.docm)
Malware Hash (MD5/SHA1/SH256) 2cc1db846ad6a94c17de63829f598ac11fc9307f3d61fd4406c2c9cb5977d17f
692d1d6f27420e4298cd6150625dcbca36edc7ab09c90cae4b1e0e6d82ed4dd1
c1c025a386c824332f43e6ab418288b07c186e1ee80312ade999fab867c6f2f5

Remediation

  • Block threat indicators at your respective controls
  • Always be suspicious of the emails sent by unknown senders
  • Never click on the links/ attachments sent by unknown users/senders

Rewterz Threat Alert – SLUB Backdoor Uses GitHub, Communicates via Slack

Severity 

Medium

Analysis Summary

SLUB is being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. 

The infection was done by exploiting CVE-2018-8174.

CVE-2018-8174

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka “Windows VBScript Engine Remote Code Execution Vulnerability.

Second, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. 

The downloader

The downloader, which runs through PowerShell as a DLL, serves several purposes. The first is to download the second stage malware, which we called the SLUB (for SLack and githUB; detected as Backdoor.Win32.SLUB.A) backdoor and execute it. The second purpose is to check if the following antivirus processes are running:

  • V3Tray.exe
  • AYAgent.aye
  • navapsvc.exe
  • ashServ.exe
  • avgemc.exe
  • bdagent.exe
  • ZhuDongFangYu.exe

If the downloader finds one of these, it simply exits.

Finally, the downloader also exploits the CVE-2015-1701 vulnerability to acquire Local Privilege Escalation. The exploit’s code was likely created by modifying code from a GitHub repository.

Figure 1. The infection chain of the attack

The SLUB backdoor

The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).

The malware also embeds two authorization tokens to communicate with the Slack API.

  • It copies itself to ProgramData\update\ and creates persistence via a Run registry key, calling export function UpdateMPUnits with rundll32.exe. Note the typo in the ValueName, “Microsoft Setup Initializazion.
  • It downloads a specific “gist” snippet from Github and parses it, looking for commands (which we will cover further in this entry) to execute. Only lines starting with “^” and ending with “$” will be executed. The other lines are ignored.

The result of the commands is then posted to a private Slack channel in a particular workspace using the embedded tokens.

Note that a side effect of this particular setup is that the attacker has no way to issue commands to a specific target. Each infected computer will execute the commands that are enabled in the gist snippet upon checking it.

Figure 5. Scheme of the backdoor communication, with the first arrow starting from the person who initiates the connection


Impact

  • Remote code execution
  • Data breach

Indicators of Compromise

URLs https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a
Malware Hash (MD5/SHA1/SH256) 626a3a68a2cc2a91c1ece1eed7610c8a
43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7
3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7

Affected Vendors

Slack
GitHUB

Remediation

  • This vulnerability has been previously been exploited by cobalt and is recently active.
  • Make sure all systems are patched against this vulnerability.

Copyright © Rewterz. All rights reserved.