March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Advisory – CVE-2020-3440 – Cisco Webex Meetings Desktop App for Windows Arbitrary File Overwrite Vulnerability
August 20, 2020
Rewterz Threat Alert – FritzFrog Botnet Attacking Millions of SSH Servers
August 20, 2020
Rewterz Threat Advisory – CVE-2020-3440 – Cisco Webex Meetings Desktop App for Windows Arbitrary File Overwrite Vulnerability
August 20, 2020
Rewterz Threat Alert – FritzFrog Botnet Attacking Millions of SSH Servers
August 20, 2020
Severity
High
Analysis Summary
Researchers have an analysis of malicious files related to Hidden Cobra’s BLINDINGCAN RAT. The campaign that these malicious files were discovered in targeted government contractors via job posting themed phishing emails. The first four analyzed files were all lure documents in Microsoft Word format containing a decoy image. An embedded XML file in each of these samples attempts to connect to a remote URL in order to download a next-stage payload. At time of analysis, none of the URLs were accessible so the next-stage executable was unable to be obtained for analysis. Researchers also also analyzed two DLL files, one 32-bit and one 64-bit, both with identical functionality. The first DLL is responsible for extracting, decoding, installing, and executing a seconday DLL. Once installed, this secondary DLL extracts two additional embedded DLLs, which are decrypted and loaded into memory. The payload running in memory was identified to be a RAT, which the researchers dubbed “BLINDINGCAN.” It first exfiltrates RC4-encoded system information to the C2 server. In response, the C2 server is capable of issuing commands to retrieve additional information, create/start/terminate processes, search/read/write/move/execute files, delete malicious artifacts, and more.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
Domain Name
- agarwalpropertyconsultants[.]com
- anca-aste[.]it
- automercado[.]co[.]cr
- curiofirenze[.]com
SHA-256
- 0fc12e03ee93d19003b2dd7117a66a3da03bd6177ac6eb396ed52a40be913db6
- 158ddb85611b4784b6f5ca7181936b86eb0ec9a3c67562b1d57badd7b7ec2d17
- 586d012540ed1244572906e3733a0cb4bba90a320da82f853e5dfac82c5c663e
- 6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1
- 7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971
- d40ad4cd39350d718e189adf45703eb3a3935a7cf8062c20c663bc14d28f78c9
- 58027c80c6502327863ddca28c31d352e5707f5903340b9e6ccc0997fcb9631d
- 7d507281e2e21476ff1af492ad9f574b14cbf77eb4cda9b67e4256318c7c6bbd
- 8b53b519623b56ab746fdaf14d3eb402e6fa515cde2113a07f5a3b4050e98050
- b70e66d387e42f5f04b69b9eb15306036702ab8a50b16f5403289b5388292db9
- bdfd16dc53f5c63da0b68df71c6e61bad300e59fd5748991a6b6a3650f01f9a1
- d5186efd8502a3a99a66729cb847d3f4be8937a3fec1c2655b6ea81f57a314f5
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.