Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations

July 1, 2020

Rewterz Threat Alert – Zeppelin Ransomware – IoCs

July 1, 2020

Rewterz Threat Alert – EvilQuest Wiper Uses Ransomware Cover to Steal Files From Macs

July 1, 2020

Severity

High

Analysis Summary

Impersonating as Google Software Update program, EvilQuest wiper is found targeting MacOS, with almost zero detection. This new piece of macOS ransomware was found in pirated versions of popular macOS software, shared on popular torrent sites. This method of infection is common and at least at some level successful. It encrypts files and leaves a ransom note.

The .txt files when opened, looks like this:

It appears to handle tasking from a command and control server (andrewka6.pythonanywhere[.]com). Such tasking includes:

executing command
starting the keylogger
executing a module directly out of memory

Armed with these capabilities, the attacker can gain full control over an infected host!

Impact

Files Encryption
Remote code execution
Credential theft
Information theft
System compromise

Indicators of Compromise

Domain Name

andrewka6[.]pythonanywhere[.]com

MD5

777424b278bc6bb4edcecb82dfbcb37d
17bfc2fc9dce7254fea0bb86c085c52b
9291a3ec715f82ac2ef1545b64e1e51c
b836f7795e946f8e61185e844151c905
a2539ab3e8a30bd4b19b0614b5da04ce
aba3b585dd22d0e1d65ed87fe349b7e1
0e1c274aa0f487d6262e5d2bb4830229
a22e2da6f3ec7f9ddf5f3f8bb8325aeb
d2d4c05889be06d1772b19f6ddbfc9f6
a8440c256c6dc84f93a71b31412c6a9e
295c6945ef3b9cad6ff37c5510b14627
eeebec8b56565a7758f4dbd00ddf4180
569b651ec08732c185ed068d81877cf4
c73e33f13481252ec81486cb9e90719c
eb7cc7cb70d8946f4b25610ca1ba623d
f4368984793e7ab58357c4f675a84366
1e23accebc583eb7be178feabdb826d0
43778d3799840872349146c87b247396

SHA-256

a215dc148ff217dfcdfdb93521dfda34a02db3145b2075ddb1fae5bf02223b08
d0fedd9bd2cf05e0ee71af4c54649058a93a10dfff08c015e273b02e48b93af0
ab0f58f35451e95ec8b3f15dbd0a480f97e263708975f41867e3c91978ff7f48
ad24d8c5ce6e6ef10755dd83a24f13d7d1b42109ff570c3d98fc6a730d452f45
511731ff2e08ac1b1de0ca719f3500b2902d7670dd2b2d5b72b3cae847ab42c8
e361f8adefa02488cceadf7c490784c9da9a9b569d14c4259c12559c1cf223f1
bc4385e99c66cbcc08ce79bb29e34519a34c1b43546dfdbe9427e899508b2d26
1553d8756ce7af3c97291a589fc767b65e0f89940ada15e838243fe292901f42
33cecccbe3775e37ae09df298ba21082544164fa8cb32cdda05bfa8e54faa890
6b51992fa3dd5ca2525375c9fb2eaa032f031f866fd227a8a524e39d12d5e35e
7f149c27e7dc4dfd5f25fd93793dde96e711060881bdfbdd33f8cfdf12674093
993045d0a624e821640576570f0d5d2f3693efbd10115f9fb1d3f9ed91764073
8159fe10644fad806ddd10bca72efb709b887fed129d123e9772dc99290691c7
b94ba5a22f2c203224b51c15a546b049a10681904e9e47e84cdd321bedd78bd9
b2c02f25fdc19bdf994fd1f212a67d3e4fb4433c18af90ac9306c7f97c2d89f1
7d5d69c9b9d55da16212b71ab1b69e96f3003c4ef1b0319d5cbcfaeef26948ed
17e7883fe9581407529f58472fb1a79d844cc742e5f1454197450b71ff033e16
1597e79b7c1783791c96f92cc5a09a0deff7ec682851a881a7e4f4a0c5803309
9a509533b5dcd3185c3979b73f5861956a9cc83c16aaa505cb624342cde6ad8e
79ce6f9265622d499eb9676a544cfda2cebc14ed9c0131c49cf6e8fa80c4994d
e0ca6e395499421bc43a41c625e882df76b90edda3652969d5c28175d076a5f3
d3cd4ae4fa3e760ad3e9495d73cdd0c2699536c5c10f9add84b948730fb1648f
81a8050810975fdfcd93f2f0dbcf4c0ee0cda48851a0e56a693b2077b4677a4c
f5eefed38002d83a9c1f5d993afeba3c358dd1a67272ab3f171e24d5ed894da8
91e98e8db0c3443b76ce9358192086d19f6a917820f4e9bd6daf6fd6668eea01
e1528e284555637fe769177dab7e45ea6292d807448a28be2c465ad245bba428
9f590f8661c7c1a0609d77fa553b127ccf1a441cfc02a8656a15b35e53b62044
fc1450d3df4d99fff2d51e555d829a11b17815d82cb9bba04ec5a32db7cd3e26
567a82e21b6b1181def9f254d9af1fa80fb7667db48298989fc7b5a0576cb9de
7aa2117be248cdfd46dcf6756fa9dd3d210f71e2254a83d6337c9f102d7100d3
51ee1acbf13ac079aeb9749c7feb12f8fa87378d6a2ac94a7c54d7862c8a5563
8bf0a31e8c66d353eafa10b862bf58a1974202544e4a5d5a843501b16aa74e8d
a17d1c6c520f6f4fa1eb9a4411ad37853c946f3870eba8cc4ef3de71c184eeb3
03145f98fa416cea6a6fb2e8705fa9a25c70c79e8792dc40c10a62f0f9b4dea8
54106c44a7f55a673e9afd9b4415f2a372be49f62f2b1ff3e1196a35fbd0aeef
375b8f459c4fe9b3b0a102698578db921914deafec47c7c064ed779a41d0dbc9
81daa16a5653573117b94b49d657cdf32d9b88dcb891df3573581bb7478d096b
2479f5c4b8c44784ac5c603dadd5fad4ad1b80a8a6198aaf4913a2d1a59e8b01
333d13d5d4e6886848640880a8a9abe8d8f5045d116bbaf6bd328f43a8529c00
3af8dec60474c1f1c47026ea1aa87f3dc25329d69eed92cbdac95ecabd30e87d
45368be16794ebd47ec7b5bf1607eb9d3281ce7101715a1b99b3d50806f090dd
fc1ee4df3f52cc7d1bbd185beba983a398a4f5f990c4b1f6758e52f34a13024c
b24dd25b42e82a9b4a3fedf05913a4318154e6b04d7e54510f9d3dcf4c8d3438
2ce315aa047239222ede240df7b847f7b5070e792a39d3db148669a4fc07afa8
1a8f442575df82083507e18112198b3f7e51c4f5095ba96197468a9d4fca2ffd
46d75230716fd873f98c1c28e814ad2576b173bd4b23e44d794091536adb7adb
a36f63c0ce79bdf4dc74575f26611ff91b4448784e9a5b62f0414eb3e36bf42d
d43291684d6412f537d7f2001c21ad58313643a3556b730c287aed2015624a31
8e37e7c4995235301ce093557f3b0c9eafcc887469eae10d1356e936a18808ed
f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794
b852b2c6b389e3176ceac9549c7d061aa6308f34022a24324dc44f8c39c35f04
851ce39495677eb52b5b7ceeeb769aacd9e4de90972a2e3fc51335b954d13aa0
07677fcec0276f6108f0a6288b9b12a75025d723b3ee7d494623a998883782f8
2a88b8206d7669791a7135c53d0ba7d2bc4d1da9a9972015bd0a1bde3cc9bbbd

SHA1

769e510c4d2aeca1a5969381355bb89808cd65fd
3d1993fb2ed8b33be17273b5c98394128bde5337
f095b7df03f545db8ce7f1d931bf524c8d742c60
8f8a39f3386120d5fb25f2b7cad224fa5610890c
134e4e59c2f3aa22a51a40072e101fa1cf7825e9
ba219ad16e48c79082067bf51881ecf028961f35
967f336bdde9c8f22a193ff3172cc50298584fb7
bd4fa58168569155d8f837c5ef01b6f4408921ec
d3ef5e2831ad52946e42f9a1a0dd31e9c2ceccd3
b1fe8010fc1d27c647b735d6b07279a05b2a8c4b
7463479f9aea3d8edc4b012df1012aadc262a9e6
8914731f5447553828c6da20cf1fd6cb30fb5718
082f393df9ba4bfb73de1b142ecdec0003778e8f
456ece6d19bdef0b2db446a67631eb8a734e286d
08f20a7cb4af29ba8b7ab5476a08132c1e5b29ea
893f0ae5bde30d536d71150a534b3063d5708d8c
a4c9a1a2dc8ffb6746e63c8ddb6632cc9c104e3a
36ec7e81fa89d72e1c4d942a264344b7577f7172

Source IP

167[.]71[.]237[.]219

Remediation

Block the threat indicators at their respective controls.
Do not download software from unauthentic sources.
Keep all systems and software updated to latest patched versions.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations

Rewterz Threat Alert – Zeppelin Ransomware – IoCs