Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
June 16, 2021Rewterz Threat Alert – REvil Strikes Again – Active IOCs
June 16, 2021Rewterz Threat Alert – SNAKE Ransomware – Active IOCs
June 16, 2021Rewterz Threat Alert – REvil Strikes Again – Active IOCs
June 16, 2021Severity
High
Analysis Summary
The botnet is called “Moobot” and it scans for uncommon, but known, vulnerabilities in Tenda routers. Although there are some changes in the payloads and infrastructure of the campaign, the tactics and techniques are mostly recycled.
The botnet exploited AT&T vulnerability CVE-2020-10987 for remote code execution (RCE). Unlike other Mirai variants, moobot is encrypted.
Impact
- Privilege Escalation
- Remote Code Execution
Indicators of Compromise
Domain Name
- cyberium[.]cc
MD5
- fbdc24f589e99088cec5fc77257c81f3
- 78ecbd418cac0a1af9feb860fceae2f9
- 14c629f43d3e05615ea1b25d3e4aa1fa
- 555821a5f67d064362e8ce9a48b95d56
SHA-256
- b94b1ec1bf9e24cc162d284cd6a01111e64ff9458b5a6233a297ec2e5e415eef
- c4ed6288d1c51499bdddee7be70a41ef980e84b958d70f474219a3023f4cebc6
- 587d248d306db083e841d6670aac2c186ab238312130b4bbc2cbd8d4e8181d4f
- cdf85ef677626fbac0d5d9e4c8546c6298ad6cbc35f21d63412a3cd34cc31b5d
SHA1
- 9d1b7933af97f4cfb54184c2257a2da536de2c7e
- 511629660f1360eee98b94f26a6bd0f1f48557dd
- 4bac1f8b4b6d1dbbc3d672c206eae482a314b0db
- 97ce18c7f56b3c5c4d17892163e2cf17a890bccb
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.