Rewterz Threat Alert – A Cross Platform, Rootkit-Enabled Spyware Operation Targeting Victims Worldwide
April 16, 2019Rewterz Threat Advisory – Delta Industrial Automation CNCSoft Multiple Vulnerabilities
April 17, 2019Rewterz Threat Alert – A Cross Platform, Rootkit-Enabled Spyware Operation Targeting Victims Worldwide
April 16, 2019Rewterz Threat Advisory – Delta Industrial Automation CNCSoft Multiple Vulnerabilities
April 17, 2019Severity
Medium
Analysis Summary
A new wave of malicious emails is seen dropping attachments leading to NanoCore RAT infection. The campaign uses an invoice themed email subject. Multiple Indicators of compromise have been retrieved and are given below.
Impact
Nanocore RAT infection
Indicators of Compromise
IP(s)/ Hostnames
- 185.165.153[.]237
- 92.222.72[.]160
- 185.244.29[.]85
- 213.183.58[.]30
- 185.234.216[.]76
- 77.235.58[.]150
URLs
- kingdevil.ddns[.]net
- iguazuargentina[.]com
- tecklink.publicvm[.]com
Filename
- invoice#003.img -> invoice#003.exe
- Fedex Receipt.img
Email Address
- info[@]verpleeghuisevie[.]sr
- teddybanks454[@]yahoo[.]com
- sales[@]flexpress[.]com
Email Subject
Overdue Invoice
Malware Hash (MD5/SHA1/SH256)
- 0db20042e4b5c0f048001b8b62b13bf9
- 997fb515527aba0f5b0beab95661f48b4329077e
- 886338ebc04e728338874b07365d4fd337998e1786893b680065358e815a6d02
- 208cd564304ef7fe98a0c3da095fec3b
- 00199f1675ca431351cad7193bf60859ce8c238b
- b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a
- 0be479263ede63dc6af79ffc5fce3ee3
- aa10739682d2f507665263ac7051a6adfc7345d8
- c75501c8e5e64c7a532ab5cd313cec069dd16a77ac2a2d928f7474e145cce0c0
- cd84d022a297ff56c49028f1903ec277
- 63d5df1e79a209d8f81ddfd4d70b273c5b46b881
- 859ca7653dd6637a0bd815d414531c49e09b540a5ba48314da83d8c3dae17659
Remediation
- Block the threat indicators at their respective controls
- Never click on links/ attachments sent by unknown senders.