Rewterz Threat Alert – MINEBRIDGE Targets Finance Sector

Friday, February 7, 2020

Severity

Medium

Analysis Summary

The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called “VBS Stomping” to avoid detection. the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.

The Minebridge Payload

The ultimate goal of the document is to infect victims with the Minebridge backdoor. It’s a powerful piece of malware that gives attackers full control of the target environment. Its C2 commands include downloading and executing other malware, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system information.

Picture1a.png
Picture2.png

Impact

Complete takeover of the target environment

Indicators of Compromise

MD5

  • 05432fc4145d56030f6dd6259020d16c
  • 0be9911c5be7e6dfeaeca0a7277d432b
  • 0dd556bf03ecb42bf87d5ea7ce8efafe
  • 15edac65d5b5ed6c27a8ac983d5b97f6
  • 1e9c836f997ddcbd13de35a0264cf9f1
  • 21aa1066f102324ccc4697193be83741
  • 22b7ddf4983d6e6d84a4978f96bc2a82
  • 2333fbadeea558e57ac15e51d55b041c
  • 2b9961f31e0015cbcb276d43b05e4434
  • 2c3cb2132951b63036124dec06fd84a8
  • 4de9d6073a63a26180a5d8dcaffb9e81
  • 505ff4b9ef2b619305d7973869cd1d2b
  • 52d6654fe3ac78661689237a149a710b
  • 53e044cd7cea2a6239d8411b8befb4b7
  • 5624c985228288c73317f2fa1be66f32
  • 598940779363d9f4203fbfe158d6829b
  • 60bdea2c493c812428a8db21b29dd402
  • 681a77eba0734c0a17b02a81564ae73f
  • 6b7d9268c7000c651473f33d088a16bd
  • 6d6f50f7bba4ae0225e9754e9053edc0
  • 6de77c1b4e8abaaf304b43162252f022
  • 7004fadfa572d77e24b33d2458f023d1
  • 71988460fd87b6bff8e8fc0f442c934b
  • 722981703148fa78d41abbae8857f7a2
  • 818f7af373d1ec865d6c1b7f59dc89e5
  • 832052b0f806f44b92f6ef150573af81
  • 836125ae2bed57be93a93d18e0c600e8
  • 86d60bce47c9bb6017e3da26cab50dcf
  • 8919458aec3dcc90563579a76835fc54
  • 8d7e220af48fceee515eb5e56579a709
  • 91b8ec04d8b96b90ea406c7b98cc0ad6
  • 959eb0696c199cbf60ec8f12fcf0ea3c
  • 95ec5e8d87111f7f6b2585992e460b52
  • 9606cf0f12d6a00716984b5b4fa49d7d
  • 9f7fed305c6638d0854de0f4563abd62
  • a11c0b9f3e7fedfe52b1fc0fc2d4f6d1
  • a47915a2684063003f09770ba92ccef2
  • a917b2ec0ac08b5cde3678487971232a
  • ad06205879edab65ed99ed7ff796bd09
  • ad910001cb57e84148ef014abc61fa73
  • b1ce55fca928cf66eaa9407246399d2c
  • b9249e9f1a92e6b3359c35a8f2a1e804
  • bd6880fb97faceecf193a745655d4301
  • be2597a842a7603d7eb990a2135dab5e
  • cf5470bfe947739e0b4527d8adb8486a
  • d593b7847ec5d18a7dba6c7b98d9aebf
  • d7ee4ffce21325dfe013b6764d0f8986
  • de4d7796006359d60c97a6e4977e4936
  • e0069cd3b5548f9fd8811adf4b24bf2e
  • e1ea93fa74d160c67a9ff748e5254fe0
  • ea15d7944c29f944814be14b25c2c2b1
  • f22a4abd5217fa01b56d064248ce0cc5
  • f3cb175e725af7f94533ecc3ff62fa12
  • f6533e09a334b9f28136711ea8e9afca
  • f7daaea04b7fe4251b6b8dabb832ee3a
  • fb1555210d04286c7bcb73ca57e8e430
  • 01067c8e41dae72ce39b28d85bf923ee
  • 1601137b84d9bebf21dcfb9ad1eaa69d
  • 1c883a997cbf2a656869f6e69ffbd027
  • 2ed49bd499c9962e115a66665a6944f6
  • 3b948368fe1a296f5ed18b11194ce51c
  • 4148281424ff3e85b215cd867746b20c
  • 54f22fbc84f4d060fcbf23534a02e5f6
  • 5a3d8348f04345f6687552e6b7469ac1
  • 607d28ae6cf2adb87fcb7eac9f9e09ab
  • 9ba3275ac0e65b9cd4d5afa0adf401b4
  • 9becd2fd73aa4b36ad9cd0c95297d40b
  • 9cce3c9516f0f15ce18f37d707931775
  • 9faf9e0c5945876c8bad3c121c91ea15
  • a37e6eeb06729b6108649f21064b16ef
  • ab8dc4ba75aad317abb8ee38c8928db0
  • b8817253288b395cb33ffe36e0072dc9
  • cb5e5d29f844eb22fecaa45763750c27
  • cffda37453e1a1389840ed6ebaef1b0d
  • dc0e1e4ec757a777a4d4cc92a8d9ef33
  • e5c7e82670372e3cf8e8cab2c1e6bc17
  • f93062f6271f20649e61a09c501c6c92

SHA-256

  • 182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97
  • 65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b
  • 48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85
  • 03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525
  • 23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7
  • 86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12
  • fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f
  • 57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb
  • e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712
  • b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84
  • 7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6
  • abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268
  • d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb
  • 6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8
  • 99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add
  • 1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621
  • 383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd
  • 0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a
  • 6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d
  • ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740
  • 8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710
  • cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a
  • 8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12
  • a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c
  • cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2
  • e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830
  • 0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df
  • 6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a
  • aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec
  • 3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb
  • 0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a
  • ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318
  • 3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae
  • f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb
  • 6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f
  • d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b
  • 7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4
  • 8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba
  • d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421
  • c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b
  • c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d
  • 0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032
  • 23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254
  • 6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb
  • 6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f
  • 5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573
  • 92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84
  • ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677
  • 6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c
  • 92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7
  • 5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444
  • 858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94
  • 5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb
  • 9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4
  • 6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352
  • 36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab955d

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 23, February 2020 Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center
  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 14, February 2020 Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
  • 13, February 2020 Rewterz Threat Advisory – CVE-2020-3119 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution

Copyright © Rewterz. All rights reserved.