Rewterz Threat Alert – Compromised Email account used for targeting financial organizations

SEVERITY: Medium

CATEGORY: Cyber Crime

ANALYSIS SUMMARY

A compromised email account belonging to an employee of the financial sector was used to target another financial organization in Russia. The email contained a malicious Word document, which executed Javascript to drop a Meterpreter payload. The tactical methodology of this email campaign resembles with another campaign called MoneyTaker that emerged in October 2018. Both campaigns target Russian financial organizations and use similar techniques, thereby hinting at a common origin. The email account and the email template used in this campaign belongs to Alfa Capital of Russia.

The word document contained in the email was an Office Open XML document, containing an OLE object and JavaScript containing binary data. The JavaScript is hidden behind a PDF icon in the document. As the target clicks the PDF, they receive a prompt to run the file.

The Meterpreter payload is downloaded using a HTTP POST request to 185[.]117[.]75[.]73. The SSL certificate for https://185[.]117[.]75[.]73 was issued for the domain cbrrf[.]tech which happens to be the domain for the C&C server used in the October campaign.

Peculiar as it is, the SSL certificate presented by 185[.]117[.]75[.]73 was changed in later December to a certificate for files[.]migcredit[.]host, generated via Let’s Encrypt. The domain migcredit[.]host was earlier used in the October campaign and a fresh SSL certificate suggests that it is likely to resurface in upcoming campaigns. The indicators of compromise were retrieved in the concluding week of 2018.

Indicators of Compromise

IP(s) / Hostname(s)

185[.]117[.]75[.]73

URLs

• https://185[.]117[.]75[.]73:443/LGdbmOghX_gtGSwbcQqdUAmyKLQqZKm2G6YD___QRkiZ4C9LEg6xq73ClIrpAe3OgmJxI XUe6YOVnM0VfwI7a5lLVChCdNvFZR/
• cbrrf[.]tech
• migcredit[.]host
• https://185[.]117[.]75[.]73:443/9BTDDrzQPUxjU2JSP0DQUgWrp3ssj79u9A4-85X7JJ9xCVTvfHdMD6WpfeZOJ_pOoG/

Malware Hash

• 7cae71083d2a48217c1e6daa2ecf23656d25f8e1
• 8a1be90d944b8f6b7f15eb2e67efb876a45b8ead0a496fd44a3f2daf4e65cab4
• 8958c87cf0d37660b18b050328b1d169
• 34ed9f1979a3fcf1ff166ea89073a4684c576bec
• f7d0cca48627a11bfcc3a6845cac09ec8f687a94ba75cf0fa4db042f33607993
• b26e04c40e740117c70f1fe5821650ce
• fd7d781dc27be4224c3d40abc721e28d39bfb6b7
• 071c29fcef473feae536136756c66426f635ee957b50724ee0bffa106f18fdd3
• a7cb468f17aae8b2f5bc6e0ca15e4285
• 95b03cc29cfacf86772dfedd867dfb330ef6086e
• 1e4b3f2118368f4e9aa6c87288b144e07fb1fcc63903f33d98018c6862fe3608
• febca0710ba10a58672674cf7bd5cacc
• 55df0445859df73251602144279af233c1cbcef3
• 8b1d88dec146a22d2efb6460d91ce012b00679c05a4cdcee5d1256cc81900b2e
• af300509f4190b2a6598333690076e01

Remediation

It is suggested to block the Indicators of Compromise at their respective controls. As more and more sophisticated email spam campaigns are emerging, employee training must be ensured so that they don’t fall victim to such phishing attacks.