Rewterz Threat Alert – TrickBot Employs Clever New Obfuscation Trick to evade detection

November 26, 2020

Rewterz Threat Alert – Weaponized Legitimate Open-Source Software

November 27, 2020

Rewterz Threat Alert – Egregor Ransomware Using Rclone and Cobalt Strike

November 27, 2020

Severity

High

Analysis Summary

Egregor Ransomware is targeting companies worldwide through its ransomware-as-a-service program. It has multiple means to compromise a target, including RDP exploits (mainly brute-force) and through phishing emails. It was also discovered that the malware will utilize Cobalt Strike beacon payload into the system after compromising the target to ensure persistence while also delivering and launching the Egregor payloads. The payloads for the Egregor ransomware are highly obfuscated via encrypting the payload in a combination of the ChaCha stream cipher and RSA encryption algorithm. Another feature of Egregor ransomware is the payloads will check for the primary device language used in the system, and will avoid encrypting the systems if the language is Russian, and a few others languages of the neighboring countries. The ransomware will also exfiltrate the data from the system prior to encrypting the system using an open source utility called Rclone.

There have been reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) & CVE-2018-15982 (Adobe Flash Player). They have also been shown to use LOTL (Living off the Land) tools such as bitsadmin to download or update DLL components. In addition, some larger malware families and frameworks such as QBot have been observed distributing Egregor in recent campaigns.

Impact

Unauthorized Access
System Compromise
Files Encryption
Data Exfiltration
Remote Code Execution

Indicators of Compromise

MD5

c3c7a97da396085eb48953e638c3c9c6
dd8e8bfb45fcd5f0621fe7085bfcab94
44a7085f729b68073b5c67bbc66829cc
a922987d1488e2dede7e39a99faf98bb
427105821263afeeccca05b43ea8dac4
5f9fcbdf7ad86583eb2bbcaa5741d88a
8ba3a9d73903bd252f8d99a682d60858
ac33fea4c2a9bbca3559142838441f84
0de24cec66ef9d1042be7cf12b87cfc4
1d6aa29e98d3f54b8c891929c34eb426
666f8d920f85f9afffcf0865a98efe69
de3110dce011088cd4add1950a49182f
81bc3a2409991325c6e71a06f6b7b881
d1aa0f26f557addd45e0d9fa4afecf15
65c320bc5258d8fa86aa9ffd876291d3
6f600974c45eec97016c1259e769a4ef
7375083934dd17f0532da3bd6770ab25
c96df334b5ed70473ec6a58a545208b6
9b7ccaa2ae6a5b96e3110ebcbc4311f6

SHA-256

4ea8b8c37cfb02ccdba95fe91c12fb68a2b7174fdcbee7ddaadded8ceb0fdf97
f0adfd3f89c9268953f93bfdfefb84432532a1e30542fee7bddda14dcb69a76c
6ad7b3e0873c9ff122c32006fdc3675706a03c4778287085a020d839b74cd780
608b5bf065f25cd1c6ac145e3bcdf0b1b6dc742a08e59ec0ce136fe5142774e9
9017c070ad6ac9ac52e361286b3ff24a315f721f488b53b7aaf6ac35de477f44
2b3518937fd231560c7dc4f5af672a033b1c810d7f2f82c8151c025ce75775bf
ee06c557f1acd5c4948b1df0413e49f3885f8ac96185a9d986b91a1231444541
8483aaf9e1fa5b46486c9f2a14c688c30d2006e88de65d0295a57892de0bf4c9
004a2dc3ec7b98fa7fe6ae9c23a8b051ec30bcfcd2bc387c440c07ff5180fe9a
3aad14d200887119f316be71d71aec11735dd3698a4fcaa50902fce71bdccb07
444a6897058fd4965770167b15a2ab13e6fd559a3e6f6cf5565d4d3282587459
a9d483c0f021b72a94324562068d8164f8cce0aa8f779faea304669390775436
3fd510a3b2e0b0802d57cd5b1cac1e61797d50a08b87d9b5243becd9e2f7073f
3fc382ae51ceca3ad6ef5880cdd2d89ef508f368911d3cd41c71a54453004c55
14e547bebaa738b8605ba4182c4379317d121e268f846c0ed3da171375e65fe4
765327e1dc0888c69c92203d90037c5154db9787f54d3fc8f1097830be8c76ab
932778732711cd18d5c4aabc507a65180bf1d4bd2b7d2d4e5506be4b8193596e
3e5a6834cf6192a987ca9b0b4c8cb9202660e399ebe387af8c7407b12ae2da63
c3c50adcc0a5cd2b39677f17fb5f2efca52cc4e47ccd2cdbbf38815d426be9e1

SHA1

f1603f1ddf52391b16ee9e73e68f5dd405ab06b0
c9da06e3dbf406aec50bc145cba1a50b26db853a
5c99dc80ca69ce0f2d9b4f790ec1b57dba7153c9
948ef8caef5c1254be551cab8a64c687ea0faf84
3cc616d959eb2fe59642102f0565c0e55ee67dbc
f6ad7b0a1d93b7a70e286b87f423119daa4ea4df
8768cf56e12a81d838e270dca9b82d30c35d026e
ac6d919b313bbb18624d26745121fca3e4ae0fd3
f7bf7cea89c6205d78fa42d735d81c1e5c183041
03cdec4a0a63a016d0767650cdaf1d4d24669795
3c03a1c61932bec2b276600ea52bd2803285ec62
beb48c2a7ff957d467d9199c954b89f8411d3ca8
fa33fd577f5eb4813bc69dce891361871cda860c
56eed20ea731d28d621723130518ac00bf50170d
f0215aac7be36a5fedeea51d34d8f8da2e98bf1b
38c88de0ece0451b0665f3616c02c2bad77a92a2
95aea6b24ed28c6ad13ec8d7a6f62652b039765e
ceca1a691c736632b3e98f2ed5b028d33c0f3c64
50c3b800294f7ee4bde577d99f2118fc1c4ba3b9

Source IP

185[.]238[.]0[.]233
49[.]12[.]104[.]241
45[.]153[.]242[.]129
217[.]8[.]117[.]148
45[.]11[.]19[.]70

URL

http[:]//185[.]238[.]0[.]233/b[.]dll
http[:]//185[.]238[.]0[.]233/hnt[.]dll
http[:]//185[.]238[.]0[.]233/p[.]dll
http[:]//185[.]238[.]0[.]233/newsvc[.]zip
http[:]//185[.]238[.]0[.]233/88/k057[.]exe
http[:]//185[.]238[.]0[.]233/sed[.]dll
http[:]//49[.]12[.]104[.]241[:]81

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails or from random sources on the internet.
Maintain a strong password policy and enable multi-factor authentication where possible.
Immediately patch all vulnerable products as soon as a security update is available.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us