March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Advisory – CVE-2020-5621 – Multiple NETGEAR products cross-site request forgery
September 1, 2020
Rewterz Threat Alert – Gozi The Malware with a Thousand Faces
September 1, 2020
Rewterz Threat Advisory – CVE-2020-5621 – Multiple NETGEAR products cross-site request forgery
September 1, 2020
Rewterz Threat Alert – Gozi The Malware with a Thousand Faces
September 1, 2020
Severity
Medium
Analysis Summary
Researchers have published their analysis of a COVID-19 themed email campaign. The email subject and body are related to the sale of face masks and thermometers, which were in short supply earlier this year. The body includes the company logo and details for a legitimate chemical manufacturer or import/export business. Along with changing the spoofed company, the attackers also rotated the sender IP address and attachment hash to avoid systems detecting known malicious indicators. Attached to these emails was a GZ archive masquerading as a PDF that supposedly contains details on ordering face masks. Contained within the archive is an executable file that, upon execution, installs the Agent Tesla RAT. After initial check in with the C2 server, it waits to receive commands to be executed on the victim host. One of the main functionalities of Agent Tesla is the ability to steal passwords from various applications. Gathered credentials and other sensitive information are then exfiltrated to the C2 server via SMTP.
Impact
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
Filename
- Supplier-Face Mask Forehead Thermometer[.]pdf[.]gz
- Supplier-Face Mask Forehead Thermometer[.]pdf[.]exe
IP
- 209[.]58[.]149[.]65
- 203[.]188[.]252[.]14
- 185[.]66[.]40[.]36
- 50[.]28[.]40[.]153
- 62[.]210[.]83[.]136
- 72[.]32[.]232[.]136
- 95[.]216[.]16[.]146
- 209[.]58[.]149[.]66
- 89[.]33[.]246[.]113
- 178[.]239[.]161[.]164
- 156[.]96[.]47[.]65
- 209[.]58[.]149[.]69
- 95[.]211[.]208[.]50
- 209[.]58[.]149[.]87
- 37[.]48[.]85[.]232
- 208[.]91[.]199[.]224
MD5
- fdfaaf9efb8507262ee9b97324bbb69a
- 64bc654373549584f7e596de24e1d8cc
SHA-256
- b419849ce915ede72fda1ea0b566651e233ef5eaffbf8b9211bd44085407ad5e
- 53445247552485c277400bafba84458670f0c1001c91b4f0bcc15935c12d662b
SHA1
- 846da85a2f2e6e79ebc7ed84b00ed97af513c80f
- 6a39bd3ddaa2c9846e2a4912a80fd718eaee622f
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.