• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Leviathan APT Campaign
June 29, 2020
Rewterz Threat Advisory – CVE-2020-2021 – Palo Alto Authentication Bypass in SAML Authentication
June 29, 2020

Rewterz Threat Alert – GoldenSpy Malware

June 29, 2020

Severity

High

Analysis Summary

A newly discovered attack campaign infiltrated a UK-based technology company via tax payment software. The attackers could run Windows commands, create new users, move laterally and upload code to execute malware. The attackers could also potentially use the network access to exfiltrate data. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Reseearchers believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.

Impact

  • Data exfiltration
  • Exposure of sensitive data   

Indicators of Compromise

MD5

  • edadf30df18e6a7ea190041cf3bd4a0b
  • f27d1590ba0aaad5d3c0831cf3e33df6
  • f136481347008770f882e63e76690ae0
  • 1ff67f9f87638321ee19bd79ce5820d4
  • e104c1deefaf379787677fcdc2ec3efc
  • 4fc56dd3b3875cda5708451f756426b3
  • b363e855f613233848a0a89216488bfb
  • 5002cc2fbcdd2f340e9258f74be8bd1d
  • 09b4079b039d13b47944e4cc7182f96f
  • 77b8787a1bcda6e18c42c1855d2f1fa0

SHA-256

  • 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
  • 39b914c8064becf3df1df39b0517bda05371e90b8b5fe15aad275faac634876f
  • a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be
  • 853ef8130b50e9fce5f7575afc04374de0232fa5fe6b7b4d97fda7bf17ec58c9
  • afe2bcd5cb2de6349329c42631bfbbdba46d672f6dc515a5bee63cb4265e49f8
  • 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3
  • 2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190
  • 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1
  • ffbeaa5947fc467fce27c765a4e8dc08e45c8ca13e583f5271b19e944e0cb8e3
  • f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe
  • 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376
  • afcc4ccc4ac0f1eaded6fc2ea704f4e9650942fc317728150676de3af19fb72d
  • c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525
  • 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078
  • 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
  • b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f

SHA1

  • c897972dfd26a07591cabbeeeeeb1db18f2f21d4
  • f2c7f4d0c5dd576a421f521671c68ff9aac8288d
  • ecd85fe374fe85ff8dc1316cf700cba715e8b89b
  • b33c269642bf42b8c71988b9ddbe298e00b65ef1
  • 5c2064f8fa1dd0268e50a1c33f14a30694640d36
  • 2e82c32bbdcb941dd6534f600a2414d84bbd086d
  • 282cc1f9cfec1ae9d07a8a6add327977f405244f
  • 466a4dff21787949f94678be0c9b5c87e22a0bdc
  • a3f74d832da3e790a58d3b028256e83b63a752f7
  • 6b87a7dac518cb6614e1834d924a9a7827fdff5c

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.