Rewterz Threat Alert – Point-of-Sale Breach – Indicators of Compromise
June 28, 2019Rewterz Threat Advisory – IBM Cognos TM1 Dojo Toolkit Script Insertion Vulnerability
July 1, 2019Rewterz Threat Alert – Point-of-Sale Breach – Indicators of Compromise
June 28, 2019Rewterz Threat Advisory – IBM Cognos TM1 Dojo Toolkit Script Insertion Vulnerability
July 1, 2019Severity
Medium
Analysis Summary
Hidden Bee was developed as a web browser hijacker in late 2017. By mid-2018, new malware samples included a crypto-miner module within unique file formats. The low detection rate led to over 500,000 infected systems in the Asia-Pacific region. The malware authors developed several unique file formats and filesystems, making it difficult to analyze with established toolkits, with a focus on dynamically loaded malware modules.
Impact
Execution of hidden bee malware exploit kit page
Indicators of Compromise
URLs
- hxxp[:]//gatedailymirror[.]info/upd.pkg
- hxxp[:]//gatedailymirror[.]info
- hxxp[:]//redteamshop[.]info/upd.pkg
- hxxp[:]//redteamshop[.]info
- hxxp[:]//ask.thesupporthelp[.]com[:]443/mlf_plug.zip.sig
- hxxp[:]//ask.thesupporthelp[.]com
- hxxp[:]//thesupporthelp[.]com
- hxxp[:]//data.supportithelp[.]com
- hxxp[:]//supportithelp[.]com
- hxxp[:]//setup.gohub[.]online[:]1108/setup.bin?id=128
- hxxp[:]//setup.gohub[.]online
Malware Hash (MD5/SHA1/SH256)
- 86bc95bb63e4c162d9542a113991d525
- ec17286458aaa9e3a65dffe62cf5d2d1a026b77c
- 087fd1f1932cdc1949b6bbbd56c7689636dd47043c2f0b6002c9afb979d0c1dd
- 1e278657b76a6dfcf95f0b3f7c468307
- cdca6dbeaa8e1d1fb62bff2c44d102eec16ed0e4
- ccd77ac6fe0c49b4f71552274764ccddcba9994df33cc1240174bcab11b52313
- b3eb576e02849218867caefaa0412ccd
- 79d8cf39e0dbf06a63e4ff657affda87aac47eb7
- 76b70f1dfd64958fca7ab3e18fffe6d551474c2b25aaa9515181dec6ae112895
- 11310b509f8bf86daa5577758e9d1eb5
- 66b63db1efc14c659e0d13ec21aabcc43df7e79e
- c1a6df241239359731c671203925a8265cf82a0c8c20c94d57a6a1ed09dec289
- d7516ad354a3be2299759cd21e161a04
- e3961fa35a53a2c8933717b612e105e7b7e9c9a5
- 52438e0150d2d0304abcd324194e390b99a27bf7357938a32da75b4470db2e22
- 367db629beedf528adaa021bdb7c12de
- c3bbd16465694354ac828d08a66a62b2b80753db
- 9bb08a3ebacf37c3bcfcd1695fc972dd745c7861d40941f72a8b7f6487b2e212
- 537523ee256824e371d0bc16298b3849
- 4b41b541e3afe4563dd678a6b8a115678cb30aaf
- d77cd484516d916fffb73e242badf026c7fbe385387656b991cdeca8d77efae2
- 6177bc527853fe0f648efd17534dd28b
- 33f2f8ec9ef8a76bc92e16839489cd0edeacb6ed
- 04d62f3c9ab18370184a5aad9717434b5a8f71abadb92fcbc00b04d7dfa49a7d
- 79e851622ac5298198c04034465017c0
- 5986d241b90342722d055c6cafa4e6b06dd60766
- 5d2fdf015b048612cf1c485571cb019ea55d3241436e23579915c30c52ae8ed4
- a17645fac4bcb5253f36a654ea369bf9
- 1211ebe09eede3fddc210991cb3bb4ddfdeee8d7
- fe45f51d76c3c07c33432e6dac8b1964e6451f1b86e1668fd8aac9ee53de982c
- fddfd292eaf33a490224ebe5371d3275
- 36fb0c363fc6fc86a7b2e4860d5940b96e9b6912
- 3a1c218de4d653dff06a68cfc12b958766dcb869450c9dd06928be819beb365c
- 831d0b55ebeb5e9ae19732e18041aa54
- 620264f45c4ef3b67e2769877715e1865d2c21ce
- fd9edb6d9ac9674e797e51b3767e45a2eb23343c2ce88e64ef20d26f641064af
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.
- Practice safe browsing – initial infection was due to numerous compromised adult websites.