• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – WannaCry still Lurks on Infected Computers, 18 months after the initial outburst
December 27, 2018
Rewterz Threat Alert – JungleSec Ransomware Infects Victims Through IPMI Remote Consoles
December 28, 2018

Rewterz Threat Alert – Financial sector hit by malicious email campaign that abuses Google Cloud Storage

December 27, 2018

SEVERITY: Medium

 

 

CATEGORY: Cyber Crime

 

 

ANALYSIS SUMMARY:

 

 

A new cyber-attack campaign on financial sector has been observed, primarily in the UK and USA. The attackers behind this espionage are delivering their malicious payload via Google Cloud Storage. The malicious payloads are hosted on storage.googleapis.com associated to the storage service. The attack begins with phishing emails luring targets into clicking on malicious links. These links redirect the victims to archived files like .zip and .gz.

 

The lure consists of ‘Remittance invoice’ offers as can be seen in the image below.

 

 

 

The malicious files contain two types of payloads, .vbs scripts and .jar (Java Archive) files which are highly complex and perplexing. Making full use of Reputation-jacking, the act of hiding behind reputed organizations to evade detection, these attackers host their malicious payloads on the widely trusted service of Google Cloud Storage. The campaign uses malicious links instead of malicious attachments because most security controls are able to detect malicious files, while being ignorant to malicious links if they’re not in the blacklist.

The experts analyzed three scripts which belong to the Houdini malware family. These include :

  • Transfer invoice[.]vbs
  • Transfer[.]vbs
  • Bank slip[.]vbs

The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain as their C&C server (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com). Moreover, the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file. These files belong to the jRat and QRat malware family. This email campaign is being tracked by researchers at MenloLabs security.

Attackers in the cyber arena are focusing their target on financial sector and more and more sophisticated phishing attacks are being observed targeting bank employees.

 

 

INDICATORS OF COMPROMISE

 

URLs:

 

  • hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
  • hxxps://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
  • hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
  • fud[.]fudcrypt[.]com
  • pm2bitcoin[.]com
  • storage[.]googleapis[.]co

 

Email Subject:

 

  • Re-Confirm Details
  • SWIFT COPY
  • Transaction Slip
  • Confirmation
  • TRANSFR
  • bank transfer
  • bank slip

 

Email Addresses:

 

  • infototrade6@yahoo[.]com
  • exchange[.]reza@yahoo[.]com
  • bestradingint@yahoo[.]com
  • infoalborzlead@yahoo[.]co[.]uk
  • nayan1maii@yahoo[.]com

 

Malware Hashes:

 

  • 739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2
  • Ea6dd952f98a8445b9fe7bfe4a903cffe9f3dc1f20c3e63970048b5423d7378f
  • Ade9a6e8995a58b71c55e2116ad3956a6e7cafce9a5fee50e9d8506f1cfa5a9a
  • B3b2988f8bf4881d7a7774a52a06a49e9a942e8587b8e2b1ec4754a3eb157bb1
  • 56b51220f1a41f316f26f0312590d3b4222185e407a1256766b6cb1c5de98635
  • 1a3dd0fc8a4725048776c596a2a77f5d9dc5b62e3d99cb60617f3ed5182b2f5b
  • 589ea2ae48ba41c11eca1bad367b333a91ec7298ca9a38135ae0e4263ccd0392
  • Fcc9ffdc225e6ac608a4a498fcce4290b2089a026cb57f0ee82a616fcd735140
  • C958d28cecc1cdba9e0a9e6caf9d194f17989905d1677d90e11c4647a88b42bf
  • 828482782171fe0c3980ec9454887806757c2bf6d6d0c35ea408e9b65e2ec581

 

 

REMEDIATION

 

Block the IoCs at their respective controls. Also, make sure all employees are trained against phishing attacks.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.