Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations
July 1, 2020Rewterz Threat Alert – Zeppelin Ransomware – IoCs
July 1, 2020Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations
July 1, 2020Rewterz Threat Alert – Zeppelin Ransomware – IoCs
July 1, 2020Severity
High
Analysis Summary
Impersonating as Google Software Update program, EvilQuest wiper is found targeting MacOS, with almost zero detection. This new piece of macOS ransomware was found in pirated versions of popular macOS software, shared on popular torrent sites. This method of infection is common and at least at some level successful. It encrypts files and leaves a ransom note.
The .txt files when opened, looks like this:
It appears to handle tasking from a command and control server (andrewka6.pythonanywhere[.]com). Such tasking includes:
- executing command
- starting the keylogger
- executing a module directly out of memory
Armed with these capabilities, the attacker can gain full control over an infected host!
Impact
- Files Encryption
- Remote code execution
- Credential theft
- Information theft
- System compromise
Indicators of Compromise
Domain Name
- andrewka6[.]pythonanywhere[.]com
MD5
- 777424b278bc6bb4edcecb82dfbcb37d
- 17bfc2fc9dce7254fea0bb86c085c52b
- 9291a3ec715f82ac2ef1545b64e1e51c
- b836f7795e946f8e61185e844151c905
- a2539ab3e8a30bd4b19b0614b5da04ce
- aba3b585dd22d0e1d65ed87fe349b7e1
- 0e1c274aa0f487d6262e5d2bb4830229
- a22e2da6f3ec7f9ddf5f3f8bb8325aeb
- d2d4c05889be06d1772b19f6ddbfc9f6
- a8440c256c6dc84f93a71b31412c6a9e
- 295c6945ef3b9cad6ff37c5510b14627
- eeebec8b56565a7758f4dbd00ddf4180
- 569b651ec08732c185ed068d81877cf4
- c73e33f13481252ec81486cb9e90719c
- eb7cc7cb70d8946f4b25610ca1ba623d
- f4368984793e7ab58357c4f675a84366
- 1e23accebc583eb7be178feabdb826d0
- 43778d3799840872349146c87b247396
SHA-256
- a215dc148ff217dfcdfdb93521dfda34a02db3145b2075ddb1fae5bf02223b08
- d0fedd9bd2cf05e0ee71af4c54649058a93a10dfff08c015e273b02e48b93af0
- ab0f58f35451e95ec8b3f15dbd0a480f97e263708975f41867e3c91978ff7f48
- ad24d8c5ce6e6ef10755dd83a24f13d7d1b42109ff570c3d98fc6a730d452f45
- 511731ff2e08ac1b1de0ca719f3500b2902d7670dd2b2d5b72b3cae847ab42c8
- e361f8adefa02488cceadf7c490784c9da9a9b569d14c4259c12559c1cf223f1
- bc4385e99c66cbcc08ce79bb29e34519a34c1b43546dfdbe9427e899508b2d26
- 1553d8756ce7af3c97291a589fc767b65e0f89940ada15e838243fe292901f42
- 33cecccbe3775e37ae09df298ba21082544164fa8cb32cdda05bfa8e54faa890
- 6b51992fa3dd5ca2525375c9fb2eaa032f031f866fd227a8a524e39d12d5e35e
- 7f149c27e7dc4dfd5f25fd93793dde96e711060881bdfbdd33f8cfdf12674093
- 993045d0a624e821640576570f0d5d2f3693efbd10115f9fb1d3f9ed91764073
- 8159fe10644fad806ddd10bca72efb709b887fed129d123e9772dc99290691c7
- b94ba5a22f2c203224b51c15a546b049a10681904e9e47e84cdd321bedd78bd9
- b2c02f25fdc19bdf994fd1f212a67d3e4fb4433c18af90ac9306c7f97c2d89f1
- 7d5d69c9b9d55da16212b71ab1b69e96f3003c4ef1b0319d5cbcfaeef26948ed
- 17e7883fe9581407529f58472fb1a79d844cc742e5f1454197450b71ff033e16
- 1597e79b7c1783791c96f92cc5a09a0deff7ec682851a881a7e4f4a0c5803309
- 9a509533b5dcd3185c3979b73f5861956a9cc83c16aaa505cb624342cde6ad8e
- 79ce6f9265622d499eb9676a544cfda2cebc14ed9c0131c49cf6e8fa80c4994d
- e0ca6e395499421bc43a41c625e882df76b90edda3652969d5c28175d076a5f3
- d3cd4ae4fa3e760ad3e9495d73cdd0c2699536c5c10f9add84b948730fb1648f
- 81a8050810975fdfcd93f2f0dbcf4c0ee0cda48851a0e56a693b2077b4677a4c
- f5eefed38002d83a9c1f5d993afeba3c358dd1a67272ab3f171e24d5ed894da8
- 91e98e8db0c3443b76ce9358192086d19f6a917820f4e9bd6daf6fd6668eea01
- e1528e284555637fe769177dab7e45ea6292d807448a28be2c465ad245bba428
- 9f590f8661c7c1a0609d77fa553b127ccf1a441cfc02a8656a15b35e53b62044
- fc1450d3df4d99fff2d51e555d829a11b17815d82cb9bba04ec5a32db7cd3e26
- 567a82e21b6b1181def9f254d9af1fa80fb7667db48298989fc7b5a0576cb9de
- 7aa2117be248cdfd46dcf6756fa9dd3d210f71e2254a83d6337c9f102d7100d3
- 51ee1acbf13ac079aeb9749c7feb12f8fa87378d6a2ac94a7c54d7862c8a5563
- 8bf0a31e8c66d353eafa10b862bf58a1974202544e4a5d5a843501b16aa74e8d
- a17d1c6c520f6f4fa1eb9a4411ad37853c946f3870eba8cc4ef3de71c184eeb3
- 03145f98fa416cea6a6fb2e8705fa9a25c70c79e8792dc40c10a62f0f9b4dea8
- 54106c44a7f55a673e9afd9b4415f2a372be49f62f2b1ff3e1196a35fbd0aeef
- 375b8f459c4fe9b3b0a102698578db921914deafec47c7c064ed779a41d0dbc9
- 81daa16a5653573117b94b49d657cdf32d9b88dcb891df3573581bb7478d096b
- 2479f5c4b8c44784ac5c603dadd5fad4ad1b80a8a6198aaf4913a2d1a59e8b01
- 333d13d5d4e6886848640880a8a9abe8d8f5045d116bbaf6bd328f43a8529c00
- 3af8dec60474c1f1c47026ea1aa87f3dc25329d69eed92cbdac95ecabd30e87d
- 45368be16794ebd47ec7b5bf1607eb9d3281ce7101715a1b99b3d50806f090dd
- fc1ee4df3f52cc7d1bbd185beba983a398a4f5f990c4b1f6758e52f34a13024c
- b24dd25b42e82a9b4a3fedf05913a4318154e6b04d7e54510f9d3dcf4c8d3438
- 2ce315aa047239222ede240df7b847f7b5070e792a39d3db148669a4fc07afa8
- 1a8f442575df82083507e18112198b3f7e51c4f5095ba96197468a9d4fca2ffd
- 46d75230716fd873f98c1c28e814ad2576b173bd4b23e44d794091536adb7adb
- a36f63c0ce79bdf4dc74575f26611ff91b4448784e9a5b62f0414eb3e36bf42d
- d43291684d6412f537d7f2001c21ad58313643a3556b730c287aed2015624a31
- 8e37e7c4995235301ce093557f3b0c9eafcc887469eae10d1356e936a18808ed
- f409b059205d9a7700d45022dad179f889f18c58c7a284673975271f6af41794
- b852b2c6b389e3176ceac9549c7d061aa6308f34022a24324dc44f8c39c35f04
- 851ce39495677eb52b5b7ceeeb769aacd9e4de90972a2e3fc51335b954d13aa0
- 07677fcec0276f6108f0a6288b9b12a75025d723b3ee7d494623a998883782f8
- 2a88b8206d7669791a7135c53d0ba7d2bc4d1da9a9972015bd0a1bde3cc9bbbd
SHA1
- 769e510c4d2aeca1a5969381355bb89808cd65fd
- 3d1993fb2ed8b33be17273b5c98394128bde5337
- f095b7df03f545db8ce7f1d931bf524c8d742c60
- 8f8a39f3386120d5fb25f2b7cad224fa5610890c
- 134e4e59c2f3aa22a51a40072e101fa1cf7825e9
- ba219ad16e48c79082067bf51881ecf028961f35
- 967f336bdde9c8f22a193ff3172cc50298584fb7
- bd4fa58168569155d8f837c5ef01b6f4408921ec
- d3ef5e2831ad52946e42f9a1a0dd31e9c2ceccd3
- b1fe8010fc1d27c647b735d6b07279a05b2a8c4b
- 7463479f9aea3d8edc4b012df1012aadc262a9e6
- 8914731f5447553828c6da20cf1fd6cb30fb5718
- 082f393df9ba4bfb73de1b142ecdec0003778e8f
- 456ece6d19bdef0b2db446a67631eb8a734e286d
- 08f20a7cb4af29ba8b7ab5476a08132c1e5b29ea
- 893f0ae5bde30d536d71150a534b3063d5708d8c
- a4c9a1a2dc8ffb6746e63c8ddb6632cc9c104e3a
- 36ec7e81fa89d72e1c4d942a264344b7577f7172
Source IP
- 167[.]71[.]237[.]219
Remediation
- Block the threat indicators at their respective controls.
- Do not download software from unauthentic sources.
- Keep all systems and software updated to latest patched versions.