Rewterz Threat Alert – Emotet Malware – IOCs
May 8, 2020COVID-19 Remote Collaboration Challenges, Threats and Frauds in the Cyberspace
May 10, 2020Rewterz Threat Alert – Emotet Malware – IOCs
May 8, 2020COVID-19 Remote Collaboration Challenges, Threats and Frauds in the Cyberspace
May 10, 2020Severity
High
Analysis Summary
A new targeted attack has infected several organizations in Taiwan with a new ransomware family, which researchers have dubbed ColdLock. The ransomware appears to target databases and email servers for encryption. It is believed the threat actors somehow gained access to the Active directory servers of the targeted organizations and there they were able to set Group Policies that led to the ransomware file being downloaded and run onto machines within the affected domain.
The payload arrives as a .NET executable (as a .DLL file), which has been packed/protected using the ConfuserEx packer. It uses PowerShell reflective loading of .NET executables to run the said .DLL file:
It also contains two checks to verify if it’s running. Firstly, it checks for the presence of %System Root%\ProgramData\readme.tmp, which is used by the ransom note. This check prevents a system from being reinfected by the same threat:
The ransomware also terminates several processes before encryption starts if they are running to prevent file access violations. These services are:
- mariadb
- msexchangeis
- mssql
- mysql
- oracleservice
The ransomware note looks very much alike the other ransomware notes.
The ransomware changes the system’s wallpaper for all users; it now contains an instruction to read a text file (the ransom note). It does this by changing several registry settings.
Impact
File encryption
Indicators of Compromise
MD5
234d17d8978717d33bf53015760878ea
28991de4ef6d97b324503991adb6bc0b
SHA-256
08677a3dac3609d13dc4a2a6868ee2f6c1334f4579356d162b706a03839bb9ff
c5108344e8a6da617af1c4a7fd8924a64130b4c86fa0f6d6225bb75534a80a35
SHA1
75e49120a0238749827196cebb7559a37a2422f8
9d6feb6e246557f57d17b8df2b6d07194ad66f66
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.