Rewterz Threat Advisory – Active Scanning of Vulnerable Citrix Servers
January 8, 2020Rewterz Threat Alert – Predator the Thief – IOC’s
January 9, 2020Rewterz Threat Advisory – Active Scanning of Vulnerable Citrix Servers
January 8, 2020Rewterz Threat Alert – Predator the Thief – IOC’s
January 9, 2020Severity
High
Analysis Summary
Lazarus continues to attack the cryptocurrency business with enhanced capabilities.To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload.
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
- 6588d262529dc372c400bef8478c2eec
- bb66ab2db0bad88ac6b829085164cbbb
- e1953fa319cc11c2f003ad0542bca822
- b63e8d4277b190e2e3f5236f07f89eee
- da17802bc8d3eca26b7752e93f33034b
- 39cdf04be2ed479e0b4489ff37f95bbe
- 629b9de3e4b84b4a0aa605a3e9471b31
- cb56955b70c87767dee81e23503086c3
- f221349437f2f6707ecb2a75c3f39145
- f051a18f79736799ac66f4ef7b28594b
- e35b15b2c8bb9eda8bc4021accf7038d
- bb04d77bda3ae9c9c3b6347f7aef19ac
- 24b3614d5c5e53e40b42b4e057001770
- 55ec67fa6572e65eae822c0b90dc8216
- c2ffbf7f2f98c73b98198b4937119a18
- a9e960948fdac81579d3b752e49aceda
- 3efeccfc6daf0bf99dcb36f247364052
- 8b4c532f10603a8e199aa4281384764e
- be37637d8f6c1fbe7f3ffc702afdfe1d
- 267a64ed23336b4a3315550c74803611
- 055829e7600dbdae9f381f83f8e4ff36
- 6058368894f25b7bc8dd53d3a82d9146
URL
- https[:]//www[.]wb-botorg/certpkg[.]php
- http[:]//95[.]213[.]232170/ProbActive/index[.]do
- http[:]//beastgoccom/grepmonux[.]php
- https[:]//unioncryptovip/update
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.