Rewterz Threat Alert – North Korean APT Kimsuky Aka Black Banshee – Active IOCs
September 21, 2023Rewterz Threat Alert – Snake Keylogger Malware – Active IOCs
September 21, 2023Rewterz Threat Alert – North Korean APT Kimsuky Aka Black Banshee – Active IOCs
September 21, 2023Rewterz Threat Alert – Snake Keylogger Malware – Active IOCs
September 21, 2023Severity
High
Analysis Summary
DangerousPassword is a Chinese APT group that has been specifically targeting cryptocurrency exchanges since June 2019. This campaign relies on the distribution of malware through email shortcuts and employs a range of techniques to infect its targets, encompassing four distinctive attack methods. Notably, DangerousPassword has expanded its focus to encompass both Windows and macOS systems, leveraging an AppleScript technique (main.scpt file) to download and execute unauthorized applications using the “curl” command. Once executed, this rogue application displays a window and utilizes XOR decoding to access and read the contents of files. Furthermore, it establishes a connection with a Command and Control (C2) server, fetching a file based on the decoded instructions, which is subsequently executed on the compromised system. The campaign’s primary objective continues to be targeted attacks against cryptocurrency exchanges in Japan. Users are advised to exercise caution when using social networking platforms, particularly LinkedIn, as the attackers may attempt to establish contact through such channels. Additionally, macOS users are urged to remain vigilant to protect themselves from potential threats.
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- 9dff852c319de7818dab707c3fae4cbb
- 394c2cb40b5a2156879250f6fbbb2d76
SHA-256
- 0722153738daa8715f7e721d144d26ed8976c9a221582ccce0decf9f4d323943
- 184fba6160521bd8c345d327e42ad2804dca419edec5657a859be78b82c1d98b
SHA-1
- 83e9011a7f49c521f6565c1d6b97c676bbf008c9
- 669683bf7dd482d769b788c12eae7458f01c1e5b
URL
- http://file.fclouddown.co:443/LaZmDqvh+fDZnSFNG3FM4LjO79DWwaPJu0bC2cbC+6Y=
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Ensure that your antivirus and anti-malware software is up to date and capable of detecting and blocking known malware strains.
- Keep your operating system, applications, and security software updated with the latest patches and security updates to address vulnerabilities.
- Implement email filtering solutions to scan and block malicious attachments and links before they reach users’ inboxes.
- Enforce strict access controls and the principle of least privilege, ensuring that only authorized users have access to sensitive systems and data.
- Train employees and users to be cautious when handling email attachments or links, especially if they are not expecting them.
- Implement network security measures such as firewalls, intrusion detection/prevention systems (IDPS), and network segmentation to detect and block malicious network traffic.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.