Rewterz Threat Advisory – CVE-2020-3495 – Critical Code Execution Flaw in Cisco Jabber for Windows
September 4, 2020Rewterz Threat Alert – TA505 Active Again – Fresh IoCs
September 4, 2020Rewterz Threat Advisory – CVE-2020-3495 – Critical Code Execution Flaw in Cisco Jabber for Windows
September 4, 2020Rewterz Threat Alert – TA505 Active Again – Fresh IoCs
September 4, 2020Severity
High
Analysis Summary
Evilnum group’s operations appear to be highly targeted towards the financial sector with a focus on the FinTech market by way of abusing the Know Your Customer regulations (KYC) documents with information provided by clients. The group recently showed some variations including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed PyVil RAT. PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials. It uses modified versions of legitimate executables employed in an attempt to remain undetected by security tools. The infection chain shows a shift from a JavaScript Trojan with backdoor capabilities to a multi-process delivery procedure of the payload. Unlike previous versions that possessed an array of functionalities, this version of the JavaScript acts mainly as a dropper and lacks any C2 communication capabilities.
For a deviation from previous tactics, this LNK file masquerades as a PDF whose content includes several documents, such as utility bills, credit card photos, and Drivers license photos. With this scheduled task, the second stage of retrieving the payload begins.
Impact
- Data Exfiltration
- Information Theft
- Credential Theft
- Unauthorized Access
Indicators of Compromise
Domain Name
- voipasst[.]com
- voipreq12[.]com
- telecomwl[.]com
- crm-domain[.]net
- leads-management[.]net
- fxmt4x[.]com
- xlmfx[.]com
- telefx[.]net
- voipssupport[.]com
- trquotesys[.]com
- extrasectr[.]com
- veritechx[.]com
- quotingtrx[.]com
- vvxtech[.]net
- corpxtech[.]com
SHA-256
- db5d09edc2e9676a41f26f5f4310df9d13abdae8011b1d37af7139008362d5f1
- 3b7cd07e87902deae4b482e987dea9e25a93a55ec783884e8b466dc55c346bce
- c7cf5c62ecfade27338acb2cc91a06c2615dbb97711f2558a9379ee8a5306720
- f5f79e2169db3bbe7b7ae3ff4a0f40659d11051e69ee784f5469659a708e829e
- cff5ed4de201256678c7c068c1dbda5c47f4b322b618981693b1fd07a0ea7e68
- 83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
- 0d7dc074be83f1096f39ba95bfc4e1a17c411dbed0e5eeeb48e88a12d79b541c
- e678ec3dbccfbd5cf0f303d2841e726ac7628044de5297bf9ebe791d66270a2f
- a81f152a31c03b45dbcf29439050bbe080b1f6308b032aebc0205886d1f41e5d
- 79e21ff9142821b2e3d6e3dc8d812e86da231dbbd1217415b4add748a4c1ce3c
Source IP
- 193[.]56[.]28[.]201
- 185[.]236[.]230[.]25
Remediation
- Block the threat indicators at their respective controls.
- Do not download files from unexpected emails even if they look legitimate.