Rewterz Threat Alert – Message Hoaxing emerges in Pakistan via ScareWare Messages
December 31, 2018Rewterz Threat Advisory – Adobe Flash Player Zero-Day vulnerability CVE-2018-15982 exploited in APT Attacks
January 4, 2019Rewterz Threat Alert – Message Hoaxing emerges in Pakistan via ScareWare Messages
December 31, 2018Rewterz Threat Advisory – Adobe Flash Player Zero-Day vulnerability CVE-2018-15982 exploited in APT Attacks
January 4, 2019SEVERITY: Medium
CATEGORY: Cyber Crime
ANALYSIS SUMMARY
A compromised email account belonging to an employee of the financial sector was used to target another financial organization in Russia. The email contained a malicious Word document, which executed Javascript to drop a Meterpreter payload. The tactical methodology of this email campaign resembles with another campaign called MoneyTaker that emerged in October 2018. Both campaigns target Russian financial organizations and use similar techniques, thereby hinting at a common origin. The email account and the email template used in this campaign belongs to Alfa Capital of Russia.
The word document contained in the email was an Office Open XML document, containing an OLE object and JavaScript containing binary data. The JavaScript is hidden behind a PDF icon in the document. As the target clicks the PDF, they receive a prompt to run the file.
The Meterpreter payload is downloaded using a HTTP POST request to 185[.]117[.]75[.]73. The SSL certificate for https://185[.]117[.]75[.]73 was issued for the domain cbrrf[.]tech which happens to be the domain for the C&C server used in the October campaign.
Peculiar as it is, the SSL certificate presented by 185[.]117[.]75[.]73 was changed in later December to a certificate for files[.]migcredit[.]host, generated via Let’s Encrypt. The domain migcredit[.]host was earlier used in the October campaign and a fresh SSL certificate suggests that it is likely to resurface in upcoming campaigns. The indicators of compromise were retrieved in the concluding week of 2018.
Indicators of Compromise
IP(s) / Hostname(s)
185[.]117[.]75[.]73
URLs
- https://185[.]117[.]75[.]73:443/LGdbmOghX_gtGSwbcQqdUAmyKLQqZKm2G6YD___QRkiZ4C9LEg6xq73ClIrpAe3OgmJxI XUe6YOVnM0VfwI7a5lLVChCdNvFZR/
- cbrrf[.]tech
- migcredit[.]host
- https://185[.]117[.]75[.]73:443/9BTDDrzQPUxjU2JSP0DQUgWrp3ssj79u9A4-85X7JJ9xCVTvfHdMD6WpfeZOJ_pOoG/
Malware Hash
- 7cae71083d2a48217c1e6daa2ecf23656d25f8e1
- 8a1be90d944b8f6b7f15eb2e67efb876a45b8ead0a496fd44a3f2daf4e65cab4
- 8958c87cf0d37660b18b050328b1d169
- 34ed9f1979a3fcf1ff166ea89073a4684c576bec
- f7d0cca48627a11bfcc3a6845cac09ec8f687a94ba75cf0fa4db042f33607993
- b26e04c40e740117c70f1fe5821650ce
- fd7d781dc27be4224c3d40abc721e28d39bfb6b7
- 071c29fcef473feae536136756c66426f635ee957b50724ee0bffa106f18fdd3
- a7cb468f17aae8b2f5bc6e0ca15e4285
- 95b03cc29cfacf86772dfedd867dfb330ef6086e
- 1e4b3f2118368f4e9aa6c87288b144e07fb1fcc63903f33d98018c6862fe3608
- febca0710ba10a58672674cf7bd5cacc
- 55df0445859df73251602144279af233c1cbcef3
- 8b1d88dec146a22d2efb6460d91ce012b00679c05a4cdcee5d1256cc81900b2e
- af300509f4190b2a6598333690076e01
Remediation
It is suggested to block the Indicators of Compromise at their respective controls. As more and more sophisticated email spam campaigns are emerging, employee training must be ensured so that they don’t fall victim to such phishing attacks.