

Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit
November 12, 2019
Rewterz Threat Advisory – ICS: Siemens SINAMICS (Update A) Multiple Vulnerabilities
November 13, 2019
Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit
November 12, 2019
Rewterz Threat Advisory – ICS: Siemens SINAMICS (Update A) Multiple Vulnerabilities
November 13, 2019Severity
Medium
Analysis Summary
A new email campaign is being used to distribute the NanoCore RAT via a uniquely-formatted ZIP archive attachment. The courier-themed email claims to be from an Export Operation Specialist of USCO Logistics and requests that the user open a ZIP attachment attempting to masquerade as a PDF. However, unlike typical ZIP archives, this attachment has two End of Central Directory (EOCD) records, indicating a second ZIP structure contained within the same archive. Based on analysis, it was determined that the first structure extracts to a benign PNG image, while the second extracts to an executable. The executable is the NanoCore RAT version 1.2.2.0, which was released just a few months ago. The researchers ran tests in order to determine how different archiving tools would handle this oddly-formatted ZIP archive. Five different common archiving tools were tested and the version of the tool also impacted the results. Two of the tested tools were unable to recognize the file as a valid archive. Of the remaining tools, most extracted the executable while one extracted the benign PNG. This technique of using two ZIP structures with a benign file as the first structure may be successful in bypassing email gateways depending on how the gateways analyze ZIP archives. However, even if they bypass security mechanisms, the success of the delivery also depends on the archiving tool and version used by the recipient.
Impact
Complete control of the compromised machine.
Indicators of Compromise
IP
194[.]5[.]98[.]85
SHA1
- 9474e1517c98d4165300a49612888d16643efbf6
- 06b80f9a0fba1d830dcf2ecf225ed1d19060589a
- 0429b924e7cdbaf9f9b6aec6744eda19e8131d08
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.