Rewterz Threat Advisory – CVE-2020-8482 – ICS: ABB Device Library Wizard Information Disclosure Vulnerability
May 26, 2020Rewterz Threat Advisory – ICS: Inductive Automation Ignition Multiple Vulnerabilities
May 28, 2020Rewterz Threat Advisory – CVE-2020-8482 – ICS: ABB Device Library Wizard Information Disclosure Vulnerability
May 26, 2020Rewterz Threat Advisory – ICS: Inductive Automation Ignition Multiple Vulnerabilities
May 28, 2020Severity
Medium
Analysis Summary
Samples of malware infected Zoom installers have been found and analyzed by researchers. The first sample was a sample of the Zapiz malware, which provides backdoor capabilities. The installer contains a number of encrypted files that decrypt into a separate installer file. The malware kills all remote utilities and opens port 5650 to gain remote access. Four registry entries containing configuration settings are also added. The settings notify the C2 that an email has been set up, credentials have been stolen, and the infected machine has been flagged as ready for access. The second sample was the Devil Shadow botnet. The installer contained pyclient.cmd which contains the malicious commands. A self-extracting archive contains a text file that consists of the C2 server address, a URL, a batch file used to gain persistence, and a copy of the Zoom installer. A Visual Basic script file executes the cmd files and another Visual Basic script file runs to gain persistence. All malicious files are dropped with the Zoom installer. The cmd file connects to the host URL and downloads binaries for use in malicious actions. The legitimate Zoom installer is run to prevent suspicion of malicious activity.
Impact
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 4070e977823d74478aec248862302063918fda16b57f2c3b561018605bfbf4fe
- 57bf83837c18a75d2e7327cdf5bfdcc906ccf78d82237ec961a4f1bee85473cf
- 9b6b1807f886bb9eccdc170988d6e419e4301c96817f362aca3d01df17c352fd
- 90728a5b2f22460e1b28e3dc350a95b993a185a6170b4aa5e45b57834b90bcee
- a26f3981ed3784bb86f5223bf14fb0047ff3fd86b8fc94753ce5a3f1702ebb56
- 93bf084daddb10b3760f4e4424b1bc4d5d5590c30064045d01c8658a6fe50d3a
- f01da52509792a52c6def452b3ee9b0b78acaca399341926fbe4f3212c42a55e
- 5b7804919d437688c8811e85c54cb36efba72652bac8093833ca04b811ea87b7
- 628928fe61e86d3b246a7822b1d1505d3694becc4a73e373f73653851d22f1a5
- 65f725f380c9b90d409539b74bfbd8a57f0fa48843ee79838fa57ad28240feb5
URL
- http[:]//hosting303[.]000webhostapp[.]com/devil_shadow
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.