Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
May 21, 2020Rewterz Threat Alert – Blue Mockingbird malware gang infects thousands of enterprise systems
May 26, 2020Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
May 21, 2020Rewterz Threat Alert – Blue Mockingbird malware gang infects thousands of enterprise systems
May 26, 2020Severity
Medium
Analysis Summary
COVID-19 continues to be a leading lure to unsuspecting victims in malspam campaigns. The latest report from researchers has shown a sharp spike in this campaign since March 2020. The usage of GuLoader has shown the COVID-19 lures have shown no signs of slowing. Invoicing, COVID-1, and wire transfers are the latest in subjects that are employed in the campaign. Each of the malspam contains an attachment that is implanted with GuLoader. GuLoader is a popular RAT distribution program. This can allow attackers to control, monitor, and steal information from infected machines. Utilizing cloud services, the payload is kept encrypted. The malware is allocated within virtual memory and decrypted via XOR with read, write, and execute access. The payload is stored within a Google Drive folder. Anti-analysis techniques are employed such as an anti-debugger. GuLoader also creates a folder in which to place a copy of itself as well as modifying a registry key to achieve persistence. Using process hollowing, the malware will use the child processes to download, decrypt, and map the payload into memory. Common payloads include: Formbook, NetWire, Remcos, Lokibot, and others.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
MD5
- 0659a9731d2ab35331689dd356156a8d
- 936777216edf044b1eae1e4bd30951cb
SHA-256
- 466a8de97917fdbc706ccad735ef08a4b049f802d01a03e4f611f75a132e4839
- 7aadacc7c5bb0c0319f8943d3c65ef2d41d49b1c470210e70e250dd665f167fe
SHA1
- 4ef84d532c1eeefd38fd4e51c22708fe5057f7cc
- 64554fdd91939774ff95947fbdb71e9ba0837c80
URL
- hxxps[:]//onedrive[.]live[.]com/download?cid=1491235303209D1A&resid=1491235303209D1A!109&authkey=ACw2GiM8jfgliBs
- hxxps[:]//drive[.]google[.]com/uc?export=download&id=1EQ7DIlAk9lk2E52DQLELmB02ADqw-62s
- hxxps[:]//drive[.]google[.]com/uc?export=download&id=19sVk-ZTWHVl3_ITBst1x51qX2L28yNlw
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.