• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Security Updates for Mozilla Firefox
September 23, 2020
Rewterz Threat Alert – APT41 Intrusion Activities – IoCs
September 23, 2020

Rewterz Threat Alert – APT28 Delivers Zebrocy Malware Campaign Using NATO Theme as Lure

September 23, 2020

Severity

Medium

Analysis Summary

Researchers disseminated a Warning to its government customers about a new APT28 (aka Sofacy, Sednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO members (or countries cooperating with NATO) and dropping Zebrocy malware.  At a first look, the sample seems to be a valid JPEG image file. 

courses_zipx.png

However, further analysis revealed the sample as having a Zip file concatenated. This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front.

The technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for a JPEG and skip it. Interestingly, in order to trigger the decompression of the file on Windows after the user clicks on it, the following conditions need to be met:  a) the file must be correctly named .zip(x); b) the file needs to be opened with WinRAR. The file will show an error message claiming it is corrupted if the targeted victim uses WinZip or the default Windows utility.

After decompressing the appended ZIP file, the two samples are dropped.

Impact

  • Exposure of sensitive data
  • File and Directory Discovery
  • Process Discovery

Indicators of Compromise

Filename

  • Course 5 – 16 October 2020[.]zipx

MD5

  • b66c2aa25d1f9056f09d0a158d20faef
  • d5e45a9db7f739979105e000d042f1fe
  • a14c1fd7b59b34515e6a8a286114c48f
  • 7b7125426d8874acdfba034fa26200e9

SHA-256

  • b45dc885949d29cba06595305923a0ed8969774dae995f0ce5b947b5ab5fe185
  • aac3b1221366cf7e4421bdd555d0bc33d4b92d6f65fa58c1bb4d8474db883fec
  • 6e89e098816f3d353b155ab0f3377fe3eb3951f45f8c34c4a48c5b61cd8425aa
  • eb81c1be62f23ac7700c70d866e84f5bc354f88e6f7d84fd65374f84e252e76b
  • fae335a465bb9faac24c58304a199f3bf9bb1b0bd07b05b18e2be6b9e90d72e6

SHA1

  • d7bf3ea3966f0399acfc3886ec66a7ca4d1675bf
  • 6861a086926980ec01d6f25985ea2498b4aee0a4
  • 99c6c6fb3ff79680f8cefeaee0b019993e05fa0d
  • 537224111b8e5bdce214d408c07774894ae3ea24

URL

  • http[:]//1943278245/protect/get-upd-idphp

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.