Rewterz Threat Alert – WannaCry still Lurks on Infected Computers, 18 months after the initial outburst
December 27, 2018Rewterz Threat Alert – JungleSec Ransomware Infects Victims Through IPMI Remote Consoles
December 28, 2018SEVERITY: Medium
CATEGORY: Cyber Crime
ANALYSIS SUMMARY:
A new cyber-attack campaign on financial sector has been observed, primarily in the UK and USA. The attackers behind this espionage are delivering their malicious payload via Google Cloud Storage. The malicious payloads are hosted on storage.googleapis.com associated to the storage service. The attack begins with phishing emails luring targets into clicking on malicious links. These links redirect the victims to archived files like .zip and .gz.
The lure consists of ‘Remittance invoice’ offers as can be seen in the image below.
The malicious files contain two types of payloads, .vbs scripts and .jar (Java Archive) files which are highly complex and perplexing. Making full use of Reputation-jacking, the act of hiding behind reputed organizations to evade detection, these attackers host their malicious payloads on the widely trusted service of Google Cloud Storage. The campaign uses malicious links instead of malicious attachments because most security controls are able to detect malicious files, while being ignorant to malicious links if they’re not in the blacklist.
The experts analyzed three scripts which belong to the Houdini malware family. These include :
- Transfer invoice[.]vbs
- Transfer[.]vbs
- Bank slip[.]vbs
The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain as their C&C server (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com). Moreover, the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file. These files belong to the jRat and QRat malware family. This email campaign is being tracked by researchers at MenloLabs security.
Attackers in the cyber arena are focusing their target on financial sector and more and more sophisticated phishing attacks are being observed targeting bank employees.
INDICATORS OF COMPROMISE
URLs:
- hxxps://storage[.]googleapis[.]com/officexel/Remittance%20invoice[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/TT%20COPY[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/new%20slip[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/Transfer%20invoice[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/transfer[.]gz
- hxxps://storage[.]googleapis[.]com/officexel/Swift%20Invoice[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/payment%20slip[.]zip
- hxxps://storage[.]googleapis[.]com/officexel/bank%20slip[.]zip
- fud[.]fudcrypt[.]com
- pm2bitcoin[.]com
- storage[.]googleapis[.]co
Email Subject:
- Re-Confirm Details
- SWIFT COPY
- Transaction Slip
- Confirmation
- TRANSFR
- bank transfer
- bank slip
Email Addresses:
- infototrade6@yahoo[.]com
- exchange[.]reza@yahoo[.]com
- bestradingint@yahoo[.]com
- infoalborzlead@yahoo[.]co[.]uk
- nayan1maii@yahoo[.]com
Malware Hashes:
- 739110ba3a95568803a48c2ac21c860058cd82f7512605103e79fdb8e0ceb8e2
- Ea6dd952f98a8445b9fe7bfe4a903cffe9f3dc1f20c3e63970048b5423d7378f
- Ade9a6e8995a58b71c55e2116ad3956a6e7cafce9a5fee50e9d8506f1cfa5a9a
- B3b2988f8bf4881d7a7774a52a06a49e9a942e8587b8e2b1ec4754a3eb157bb1
- 56b51220f1a41f316f26f0312590d3b4222185e407a1256766b6cb1c5de98635
- 1a3dd0fc8a4725048776c596a2a77f5d9dc5b62e3d99cb60617f3ed5182b2f5b
- 589ea2ae48ba41c11eca1bad367b333a91ec7298ca9a38135ae0e4263ccd0392
- Fcc9ffdc225e6ac608a4a498fcce4290b2089a026cb57f0ee82a616fcd735140
- C958d28cecc1cdba9e0a9e6caf9d194f17989905d1677d90e11c4647a88b42bf
- 828482782171fe0c3980ec9454887806757c2bf6d6d0c35ea408e9b65e2ec581
REMEDIATION
Block the IoCs at their respective controls. Also, make sure all employees are trained against phishing attacks.