Rewterz Threat Alert – Phobos Ransomware – Active IOCs
March 13, 2023Rewterz Threat Alert – North Korea’s UNC2970 Threat Actors Expands Their Operations – Active IOCs
March 13, 2023Rewterz Threat Alert – Phobos Ransomware – Active IOCs
March 13, 2023Rewterz Threat Alert – North Korea’s UNC2970 Threat Actors Expands Their Operations – Active IOCs
March 13, 2023Severity
High
Analysis Summary
CryptBot – a Windows malware – is capable of stealing credentials for browsers, cryptocurrency wallets, browser cookies, credit cards, and creates screenshots of the infected system. Cryptbot hides within legitimate software in order to be installed by its victims. CryptBot threat actors spread malware via websites purportedly offering software cracks, key generators, or other tools. To gain widespread visibility, threat actors utilize search engine optimization to position malware distribution sites toward the top of Google search results, resulting in a steady stream of potential victims. It can also spread through a fake vpn client which is called as Inter VPN, when executed, it infects the system with Cryptbot and Vidar which then runs a AutoHotKey script leading to download executables from malicious websites.
Impact
- Credential Theft
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
MD5
- 81c1a4c3135df84530588d812b9c860b
- 0a17073d2b0900c2a0179b5bab94d839
- 5596e51f79b311815847339e9f315693
- 872e7d06688cfe2fceee54cbbc7ecc4a
- 7f9639f9ee3e7bb05da5e6bae9f4233a
SHA-256
- 3654fad9d471a913d6a4e4669c4cf6d0d93c35218d35793db325079a9f2bcb31
- 50ba755456d579ded57364b16df9d601e166555acca48cb97daeb8b9e70c62c5
- dda5577213a6db2971ff9214f79623c5e514a22810be3ec5368c837fadfcd5ff
- 0064b1e109f573ee5ee5d3e6881909320d2c8c5c0dfae1c0539ac45d1d4edd4b
- aa40bae94993caa836037d30d4ed4c02e1224dfce5923e010a2aad0056c34f07
SHA-1
- d98e1eade1b6d333716cf47015e22208e04d4cd3
- 57129acb0c62711598892fb7a2f9323652c2e912
- cfbd2b67821369c129f1cc069d7132758d51c79e
- 958fa38889e80a917829c28195ffa7163b59bde5
- bd4b9e4ccdfc5674824be3fa73d4adc86cb4339d
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.