Rewterz Threat Alert – InfoStealers Weaponizing COVID-19
May 14, 2020Rewterz Threat Alert – AgentTesla Malware – IOCs
May 14, 2020Rewterz Threat Alert – InfoStealers Weaponizing COVID-19
May 14, 2020Rewterz Threat Alert – AgentTesla Malware – IOCs
May 14, 2020Severity
High
Analysis Summary
Hangover threat group’s use of the BackConfig malware in attacks against government and military organizations in South Asia. In almost all cases, the initial malware was hosted on a compromised site and a link was sent to targets in spear phishing emails. Besides the usage of an RTF document in a couple instances, a macro-enabled XLS document was the main format of the initial file. The decoy content in the document uses a theme relevant to the target, such as housing program registration forms in the country of interest. The macros then proceed to perform the tasks needed to ultimately infect the system with the BackConfig malware. The specific steps taken to do this have evolved over the years. The most recent version uses a combination of text files and batch scripts dropped by the macro to ultimately download the BackConfig payload from a remote URL. Persistence is also established by the macro code via scheduled tasks. Once on the system, BackConfig’s modular architecture can be used to perform a variety of tasks, such as gathering system information, keylogging, and downloading additional payloads.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
- 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c
- 021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b
- be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461
- 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf
- ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb
- 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f
- 4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB
- C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9
- 6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3
- 750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580
- 5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295
- f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e
- 98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e
- 29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096
- abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003
- 02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.