Rewterz Threat Alert – Weaponized Legitimate Open-Source Software
November 27, 2020Rewterz Threat Alert – Nanocore – IoCs
November 27, 2020Rewterz Threat Alert – Weaponized Legitimate Open-Source Software
November 27, 2020Rewterz Threat Alert – Nanocore – IoCs
November 27, 2020Severity
High
Analysis Summary
A new digitally-signed Bandook malware sample is spotted in the wild, aiming at high-value targets across multiple sectors, including government, financial, energy, food industry, healthcare, education, IT, and legal institutions. Victims have been spotted covering a diverse and large geographical area. reportedly, a cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old backdoor Trojan. The infection chain is a three-stage process that begins with a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.
Impact
- Unauthorized Remote Access
- Code Execution
- Information Theft
Indicators of Compromise
Domain Name
- pronews[.]icu
- ntsclouds[.]com
- vsimperial[.]com
- mxtms[.]com
- nopejohn[.]com
- horizongb[.]com
- olex[.]live
- styleco[.]me
- raysdoor[.]com
- mainsrv[.]top
- idcmht[.]com
- vdscloud[.]net
- ewsdocs[.]com
- jtoolbox[.]org
- htname[.]info
- ercuc[.]com
- p2020[.]xyz
- tancredis[.]com
- 2ndprog[.]monster
- branchesv[.]com
Filename
- Malaysia Shipment[.]docx
- Jakarta Shipment[.]docx
- malta containers[.]docx
- Certified documents[.]docx
- Notarized Documents[.]docx
- bank statement[.]docx
- passport and documents[.]docx
- Case Draft[.]docx
- documents scan[.]docx
Hostname
- ec2[.]mbcde[.]net
- s2[.]fikofiko[.]top
- s1[.]megawoc[.]com
- d2[.]p2020[.]club
- d1[.]p2020[.]club
- s2[.]megawoc[.]com
- s3[.]megawoc[.]com
- s1[.]fikofiko[.]top
- s3[.]fikofiko[.]top
MD5
- 70ff19341dee7973ea6dd8e15c6ba86f
- 27f8d8bbbeeda5fc439ee18d9d4da343
- f037f3961f7d9fe1eb7afa889b556cb1
- d22b31848b6f17efc87d538dede2f2a7
- b9b8d6f46ff3a9058ffe4b304604b4e7
- 96f09c5c56f59c733d1a9b01fea0cfb4
- 17fe9611ea566887b3ef42284f96de03
- 83311c960609418d5f0a5160324ceb1d
- 44584c8d010242fddb44afe5ce860872
- d1600f45005aa8b8fcbb446f34f7b9f5
- 4d7e67ed02713c789336f8804231b1ca
- 4e9e12c98cfbc5f3aa3c1345bd063fa0
- 045ce6679ed4086e2ded58470e24c15a
- 7c15ee5b9a12dacaace8fb62271f12f1
- 3f310215a70d748f9335c767e61a2ab4
- 7ef261c151519e66ec369c63e4b1aed4
- 0475771b8bc3efc28b1834f3add608f3
- b5138c77983dba10c4976c411161bbf9
- 9bcf889b14968c61df95961a161719ba
- 07111aff7afc052a81f267ea2e83dcef
- 07776b2dd00bcd0be1c7713c37d41120
- 53b7bdd75776f342bf5f5395d4c46520
- eb402e8dd2cae58476acc8e697ee7171
- a6501c62b3a6ffa8d028a88138fe509f
- 1a3889ded73044f8ba0a00c2f089a3bd
- bca04d74261fedfbd191ffd5e7cf6214
- d6e524514e0d112015c841b62377d648
- cfea49c577ef865de659d5b8025db3f9
- 28ad9ace11919b57bf540e2b9debf8dd
- 6effed1b1bb5e9ed6aafacb075c1d4e2
- 5a3f7c46748791494e29383d1f58a908
- 573c7dbf4d3aed421bff58df770610fe
- 54ad403349831b175a98a429f818f02a
SHA-256
- 9a0ee2430f7c77942d544dad6787ca8a94470f6555f1cb08baa9d099c92f8447
- 74feaf3aa116a88ef3b10453e77feadefbe4e53dd7a71dd3b8309cc9d76cdec9
- 6af6fe3eafd4cf2c82738d45a6a95577d970f3fbbe094afd24d1d4a0bb5ad1b4
- aa868d007c4dfd825104faafb3798b9ab745b29794a57365bef41ec3f6019eea
- 9a19522b23acfc6705e4fac65640527a8adbbc9719dab436f28101b6cbc140c6
- 408c11caf548048732ac21e88a54e80d47a05b9619c1c16b65fa850e0172f428
- 766917fe9b543bf218bd824d55967d63f94b28456f1d4919bc990d8262dc608d
- 5900abb869c61928f0ef931d6f9d8b62183b2bab9a69b0ef886551005d6c9622
- a9a8b0aa5f137e7353db62dc1609da3c709ca30287a5605c73aafaf4968d1e8d
- 3fda0a5da313886b0339eee65c69c779ed620b303ba079ee0864ca4a1496b0b4
- 9de287f9af63f02c51c69d9c8480fee2bd4d4bd3c818f2ba81324b1f8ce495c0
- 1ad83e9d06428dd87203ab8fcc6142014a9c05f3eb9afd61347834f39082d72a
- 27c6341554a04bdc792ffbc5cda26511cbcfcc66334fb6ebbc24a14969b4e498
- 8cb1f713761a6b31c9c25dd2c7ae11e575a634c9f052cfd598ada35a61783230
- 1b0d2d096c5f7fff02a5a4ce623b71b862f63e306a0760722f710c425b4e16ec
- add9f9dca97c3b6d52efe7d48ecd3d349a70411eaa3d4aeff6e6215b77f42b90
- 2ee74ae5b202c8aab288ca167c630e9ee3569240958e984474b960cd560bbe95
- 6287fc617ff6881169990e6b877c16d8ca3c199f7e453241a0b18a7907c67ab0
- 306238a63896fa8b79b4c9a6d25fd906bb9e4919bc698608ab970677d15b0694
- ea4792353e0f97968e7c69ffba81c144f22f54382af4e61a1347edd0ae15830f
- 072c103759968253b7b25837b43eec546c625ae9c04edd52321d848cf6078b87
- 034d8ec8d510033c387bb87cac35d240b7b8daa3b5167732118c755c5e6c1d48
- aed7ab5d0de01c3724c917c034e26a5e9eed3f7fbf4082b024576a41725d66cf
- d217288a046e2739159d0081608a44c2e79d41de12c57ebe88a8591693fa15d5
- d4cf5c5c60e972cc19782d1f37ec9d47dd1e81cdf481b64dab62f96bac846bb4
- 97ea91fb673f4994da491433751c4fca011993ba10191f09c70ca6c8d2b4f944
- ba153e449ee926c019b548997c32d0579b9c6f350b1590a025d5d9a216ddbffd
- ce8ad96819c814dd1735e621639a8845ae7132375879cc5b5d5f6877cb909a68
- 40cc5933e608f7a2a5c13af1066257c9e41528bb85e434e2bc3d1f4802dec24d
- 0750c7cdc538d79d9ffed0d37f5d9a083902b49ec02d75ee88028db9f3668b59
- 41ccf6de0d51bd29d35be12ae24f04b2f88ec2b202b239424f90c666d25473e8
- 66c86f29afb1152aad8e426ebb6569ad03ce7b69ea3c8a5cc40011c2a3ab973b
- 06ed3daccfbb30c68a33583a761fc20cc3e21adb8dd64a42d922e6da2a01c0dd
SHA1
- 816b2442c17585396b73b54fbc87be624d55276c
- d6b69cb3689341997d93b03fbd4499fe60f29b35
- 7e9fcbd7f31c3a4ddb3221351e8d04ecdce69474
- a8f2b1f1a1200d25d751b5559a31c034781ea33e
- 47b8d74725f353dad8177c478ffa77d424e9a34e
- a31296f1eed15262f070abb3e89acf1a3917746a
- 57c9411b444ce4fddf6ddf210dd7dfd008c156ac
- 8790c9c1ffdf7ce7d7c1a0825a73ef75958fd9c5
- 99e724a6941c65eed20ac13c4940e325fd323082
- 788489ecd0e43f74c7d8df841bee8367cba2164d
- b1604a158cdd24182d8d4198fb17f4d348b92601
- 118633bbe46520c65529c0cd1d6eb52f810f6327
- c4d7332f09c7e917d5dd56930854e735cfce45fa
- 49a8149054440e33a6228b42f731e2f8035049e5
- 03508cbeec86346d6658da8c9d34638c57dad920
- aad7ec556d8d6e4333552d23588734d339373ab8
- 1e45d9c3ff9bb7e2ed236384694237dcd956de2b
- 9d0deca8dbdf25bdb9208772f861c28aa5a4e95f
- 9b47ab36a00d83c119620318e4924ce50cec2512
- cf96410d1cde40aaebfe32f26354282a7773abaf
- 9e33cbc25a8ad9987f88d5e1d181098142579f54
- e98700d562edb0ed29e429d0263ec448daf8a5f2
- 500813f95615b25f622e82e6c79431d7f4928bc4
- 424e3570f36fdb541e9b49f9d6824949ccf96ea6
- 7f534338d1399221bb2134d917a1e3eef8b309e5
- e78721fd283b0093fb0556167e1b38b81ed0c7bb
- 8971b585f8bf7d9f086d97d2d640ed4ce7f6b178
- 154c16ecfa56b71ce7b6f3fca4be4e0820e34665
- 55d1a679ae7e812d5c91ef78bec4095a2048427c
- 8c4d5618c3ab2d2411ede54f443560891a78986b
- b0d64b13407da0c6db1aced2d9e110802c05a6d3
- 9087c24b181d58bb57d02a1ce19f8d17d63476b4
- f6b1b3fc532b516366de6b3452b5c23441386e17
Remediation
- Block the threat indicators at respective controls.
- Do not download files attached in untrusted emails sent by unknown senders.