Rewterz Threat Alert – Valak Malware
June 26, 2020Rewterz Threat Advisory – CVE-2020-12414 – Mozilla Firefox for iOS weak security
June 29, 2020Rewterz Threat Alert – Valak Malware
June 26, 2020Rewterz Threat Advisory – CVE-2020-12414 – Mozilla Firefox for iOS weak security
June 29, 2020Severity
High
Analysis Summary
A spear phishing campaign initiated by APT-c-35 group targeting Pakistani official observed by Rewterz threat intelligence forum. As per the detailed analysis, of Excel file, it was observed that Excel contains 20 different worksheets and malicious macro codes embedded in it. It was also observed that when victim opens a document, a macro (workbook_open) executed which shows a message box to the victim that ‘Microsoft Excel stopped working’ (Hardcoded in macro). In parallel, it then executes batch file (named as s.bat) which contains step by step instruction of creation of folder and files ‘Temp’ & ‘Appdata’ (Hardcoded in the code). Once created, it then hide files & folder and save computer name in another file name (agnia) created by attacker in Appdata folder. Once creation of files & folders done and attacker hide attribute of the files then it extract actual payload dll named as ‘sqmap.dll’ in created directory (Appdata folder).
A detailed analysis of this attack is also available on our Threat Intelligence blog.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
IP
185[.]141[.]61[.]120
MD5
4428912F168F3F1F0554126DE7B4ECED
SHA-256
c3ccf4fc47d67afeb30728c67800ad9ff5727bb191ec9838b16cd63d450258a9
SHA1
b958b4fc7a8bbc0b598df67cb47b04b9efe8f63f
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.