Rewterz Threat Alert – Covid-19 Themed Malicious URLs
September 1, 2020Rewterz Threat Alert – Lokibot IOCs
September 1, 2020Severity
High
Analysis Summary
Researchers reports on an in the wild exploitation of a vulnerability in QNAP NAS devices. This vulnerability was not publicly reported on prior to these findings. The vulnerability exploited exists in the CGI program used when users log out of the QNAP NAS device. By exploiting the vulnerability, attackers are able to gain unauthenticated remote code execution capabilities. In this campaign, the remote code execution capabilities are used to download a payload using wget. Based on current observations, the researchers have been unable to identify the ultimate goal of the attackers as further malware is not installed at this time. Two additional files were discovered on the server hosting the payload currently being downloaded. Specifically, they are two text files, one containing 2 lines of seemingly random text and the other being a bash reverse shell script. The server was found to be running SSH, Metasploit, Apache httpd, and other services.
Impact
Remote code execution
Indicators of Compromise
IP
- 165[.]227[.]39[.]105
- 219[.]85[.]109[.]140
- 103[.]209[.]253[.]252
URL
- http[:]//165[.]227[.]39[.]105[:]8096/[.]sl
- http[:]//165[.]227[.]39[.]105[:]8096/rv
- http[:]//165[.]227[.]39[.]105[:]8096/aaa
Remediation
- Block all threat indicators at your respective controls.
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.