Rewterz Threat Advisory – Security Updates for Mozilla Firefox
September 23, 2020Rewterz Threat Alert – APT41 Intrusion Activities – IoCs
September 23, 2020Rewterz Threat Advisory – Security Updates for Mozilla Firefox
September 23, 2020Rewterz Threat Alert – APT41 Intrusion Activities – IoCs
September 23, 2020Severity
Medium
Analysis Summary
Researchers disseminated a Warning to its government customers about a new APT28 (aka Sofacy, Sednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO members (or countries cooperating with NATO) and dropping Zebrocy malware. At a first look, the sample seems to be a valid JPEG image file.
However, further analysis revealed the sample as having a Zip file concatenated. This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front.
The technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for a JPEG and skip it. Interestingly, in order to trigger the decompression of the file on Windows after the user clicks on it, the following conditions need to be met: a) the file must be correctly named .zip(x); b) the file needs to be opened with WinRAR. The file will show an error message claiming it is corrupted if the targeted victim uses WinZip or the default Windows utility.
After decompressing the appended ZIP file, the two samples are dropped.
Impact
- Exposure of sensitive data
- File and Directory Discovery
- Process Discovery
Indicators of Compromise
Filename
- Course 5 – 16 October 2020[.]zipx
MD5
- b66c2aa25d1f9056f09d0a158d20faef
- d5e45a9db7f739979105e000d042f1fe
- a14c1fd7b59b34515e6a8a286114c48f
- 7b7125426d8874acdfba034fa26200e9
SHA-256
- b45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185
- aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec
- 6e89e098816f3d353b155ab0f3377fe3eb3951f45f8c34c4a48c5b61cd8425aa
- eb81c1be62f23ac7700c70d866e84f5bc354f88e6f7d84fd65374f84e252e76b
- fae335a465bb9faac24c58304a199f3bf9bb1b0bd07b05b18e2be6b9e90d72e6
SHA1
- d7bf3ea3966f0399acfc3886ec66a7ca4d1675bf
- 6861a086926980ec01d6f25985ea2498b4aee0a4
- 99c6c6fb3ff79680f8cefeaee0b019993e05fa0d
- 537224111b8e5bdce214d408c07774894ae3ea24
URL
- http[:]//1943278245/protect/get-upd-idphp
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.