Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019Rewterz Threat Alert – Malspam pushing Quasar RAT
September 25, 2019Rewterz Threat Alert – Zebrocy Infects Targets with Backdoor hosted on Dropbox
September 25, 2019Rewterz Threat Alert – Malspam pushing Quasar RAT
September 25, 2019Severity
High
Analysis Summary
Formbook is an information stealer acting as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. Formbook is used in a recent campaign embedded in a malicious Microsoft Excel document which is sent to targets via emails as part of a phishing attack. Attached below is a screenshot of the Excel sheet.
Macros are disabled by default and users are prompted to ‘Enable Content’ upon opening the document.
When “Enable Content” button is clicked within Microsoft Excel, a malicious macro executes a PowerShell script which runs in the background as a child process to wmiprvse.exe. The script uses a bitwise XOR to decode and convert the obfuscated payload. It then makes an external request to an infected WordPress site, and downloads a further payload from hxxp://insumoscerveceros.com.co/wp-admin/network/Purchase.exe.
Impact
- Credential Theft
- Theft of financial information
Indicators of Compromise
IP(s) / Hostname(s)
69[.]175[.]87[.]74
URLs
- hxxp[:]//insumoscerveceros[.]com[.]co/wp-admin/network/Purchase
- hxxp[:]//www[.]insumoscerveceros[.]com[.]co
Malware Hash (MD5/SHA1/SH256)
- c0192628600119942584ddcb680d27de
- bed8975b537f5b9f205263a6dffe9a187290405cec2845e7f59d393d0ecc3bf8
- 8865779fee523e28918da95a15c88c0f14ffc54d04b32c7a42a1fc2fdff4582d
- eac39955e9c12314d1bee73e5878d88d
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from unknown sources.
- Always scan files before execution.
- Do not enable macros for irrelevant and unnecessary document files.