Rewterz Threat Advisory – Denial of Service flaw in Windows Servers running IIS
February 22, 2019Rewterz Threat Alert – Campaign Deploying Malware via MalSpam Targeting Web Application Servers
February 25, 2019Rewterz Threat Advisory – Denial of Service flaw in Windows Servers running IIS
February 22, 2019Rewterz Threat Alert – Campaign Deploying Malware via MalSpam Targeting Web Application Servers
February 25, 2019Severity
Medium
Analysis Summary
During execution, the following commands are executed.
- cmd.exe /C net user /domain > “%ALLUSERSPROFILE%\TMPUSER.DAT” The malware will jump directly to the deletion stage if “WORKGROUP” or “workgroup” is found in TMPUSER.DAT.
- cmd.exe /C net.exe stop foundation
- cmd.exe /C sc delete foundation
- cmd.exe /c del C:\Windows\Installer\MSI[0-9A-F]{4}.tmp >> NUL
Indicators of Compromise
IP(s) / Hostname(s)
169.239.128[.]15
URLs
- hxxp://195.123.209[.]169/dat1.omg
- hxxp://213.183.63[.]242/fact1.omg
Filename
- fact1.omg
- QziRxdxCaP.exe
Email Address
- michael[@]alliancegrp[.]net
- amalefa[@]cablenet.com[.]ar
- irum[@]nasco-av[.]com
- a.buffardi[@]be-tse[.]it
- michal.bien[@]danex.krakow[.]pl
- fajar.apriandi[@]advancemedicorp[.]com
- gregibbs[@]hbci[.]com
- ecopri[@]mail.wbs.ne[.]jp
Email Subject
Sending paper signs
Malware Hash (MD5/SHA1/SH256)
- c51fec2aa2415b6ec4da1ca6c56558a8
- 185a273e908d81ddb862855559113cf2546af107
- 78ae8616b8bb503cf0e5bbbb7b84b60eac8dd1d30726c2f74bd116e9ad19560c
- d490573977cc6b42ba0b4325df953a7f
- dacf34580c09f7b1e4b8ba02f3ab8b6be08d03ab
- 6a7eb9a166510e72912e6b90a80f77b914a76aa9e2507d0e5472bcba036fc368
- c4463d6ae741d4fb789bd0895fafebee
- c8866ca1012dfabf5ad131cfeea0036dacb433e6
- 84259a3c6fd62a61f010f972db97eee69a724020af39d53c9ed1e9ecefc4b6b6
- 2944eca03bc13b0edf064a619ec41459
- 83d215861c562315bca60994a901e06fc7cfa1a7
- 014d47cc2ee73efb3ec06a72d886888fcc2489ce8e8323f57ee03295439e6f34
- 8a9672b0f308e297db9b1000854fd13c
- df4d358287ecb6b0555627dc4574299e67e7d4d9
- d1d9657b4230b63ff7b5f94ecd21660c3edf314fcf23b745226fae806d456cb8
- 9ca31cf03258d8f02ab4cd8fccbf284b
- e1fb096873ac5ca990dda56d381f676178159885
- af1d155a0b36c14626b2bf9394c1b460d198c9dd96eb57fac06d38e36b805460
Remediation
- It is recommended to block the threat indicators at their respective controls.
- Employees must not open spam emails that do not look relevant.
- Never download files received in emails from unknown sources.
- Never click on links attached in unexpected emails.