Rewterz Threat Alert – Microsoft Office 365 Active Credential Phishing Campaign
November 18, 2020Rewterz Threat Alert – China Linked APT FunnyDream targets South East Asian government
November 18, 2020Rewterz Threat Alert – Microsoft Office 365 Active Credential Phishing Campaign
November 18, 2020Rewterz Threat Alert – China Linked APT FunnyDream targets South East Asian government
November 18, 2020Severity
High
Analysis Summary
A newly discovered Jupyter Trojan that is designed to gather and exfiltrate private and sensitive information from a target system. Jupyteris an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.
Attack Chain
Jupyter’sattack chain typically starts with a downloaded zip file that contains an installer, an executable that usually impersonates legitimate software such as Docx2Rtf. Upon execution of the installer, a .NET C2 client (Jupyter Loader) is injected into a memory. This client has a well defined communication protocol, versioning matrix, and has recently included persistence modules.
The client then downloads the next stage, a PowerShell command that executes the in-memory Jupyter.NET module. Both of the .Net components have similar code structures, obfuscation, and unique UID implementation. These commonalities indicate the development of an end to end framework for implementing the Jupyter Infostealer.
Impact
- Browser data
- Exposure of sensitive information
Indicators of Compromise
Domain Name
- spacetruck[.]biz
- blackl1vesmatter[.]org
- vincentolife[.]com
- gogohid[.]com
MD5
- d30aa0149240031aafd4f57566cefb8d
- f7d9f73724462480462584b17be3ea82
- 06d74236c0066ecc4e733b0258ffe61d
- 1b341ab4421cdf28427858700ef41deb
- 63c9ace2fb8d1cb7eccf4e861d0e4e45
- 7be0725643c89e332b0434536a96de50
- 4103ba80694bab9cdd83df5a527378aa
- dbff4b0b195a9c771966d775ae9c1d4e
- 4eb6170524b5e18d95bb56b937e89b36
SHA-256
- 056c470dc745e56cbbe069d3c43a557f697e7f2afbd83c14471a1bdbf013e4af
- e57aa0e04235eef2c73870e07931d53efc1869743e0d6d07fc5c3ef3d71e464a
- 30e527e45f50d2ba82865c5679a6fa998ee0a1755361ab01673950810d071c85
- 3147cd2ee6938d50d2cdc7e157ad1125de2229bb35454cbde502746d6a36154d
- 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01
- f16630378ba5cd07f2e131f3afa483c6f722406702d9201450c3be17f8b1081e
- 9d63af1cb88bb6b65e1d6c1f4467a728aeff1b8d07c2ef8c9b2e2f40b696a154
- a1a9137dea275aa805e5640f6450366dbf6e10be066e5c12c34904e45e469c4c
- 33d7f3bb788ea4bf9fffba9e528ec62ad38f02d03e63f78e427238f90a9ac75d
SHA1
- 6ad28e1810eb1be26e835e5224e78e13576887b9
- 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688
- f76e293d627c55eca18ce96e587fb8c6e37d8206
- d5a6ebdd65398f0a3591900192992220df49b03c
- 59488aa15eeb47cd0b024c8a117db82f1bc17a80
- 864fa452bef69f877917c6feebf245e77a213c9d
- b2ed7e45eec9afb74ffbfa90495824945b8a84c7
- ce9d62978c8af736935af5ed1808bfc829cbb546
- aecd083118b9333133c2f43f85558730285ed292
- 591f33f968ed00c72e2064e54ccb641272681cb4
- 3854bc3263c1bf3e3a79c0310e1b972bcb17b8a5
- 02a52b218756fa65e9fd8a9acb75202afd150e4c
- ea2b5b7bcc0efde95ef1daf91dcb1aa55e3458a9
- 1478b1ead914f03d801087dc0b4cca07b19c7f53
- 26af2e85b0a50bf2352d46350744d4997448e51d
- 261ed0f6c7b5052a6f4275a2c4d3207e56333b05
- 8133304181d209cb302fbcdbf3965b0b5c7fa20c
- 5bc62d38e3249c9e5cb6fe2cb4e11b4dfb3c8917
URL
- http[:]//vincentolife[.]com/j
Remediation
- Block the threat indicators at their respective controls.
- Keep your browsers updated to latest patched versions against all known vulnerabilities.
- Do not download untrusted files/zip files from random sources on the internet or those coming from unknown email addresses.
- Do not execute untrusted files on your system.