November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – NetCat – Intel Server CPUs Side Channel Vulnerability
September 13, 2019Rewterz Threat Alert – Lokibot Malware – IoCs
September 13, 2019Rewterz Threat Alert – NetCat – Intel Server CPUs Side Channel Vulnerability
September 13, 2019Rewterz Threat Alert – Lokibot Malware – IoCs
September 13, 2019
Severity
Medium
Analysis Summary
The North Korean APT group Hidden Cobra is using new variants of malware, dubbed ELECTRICFISH and BADCALL.
ELECTRICFISH:
The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
BADCALL:
The sample files discovered for BADCALL variant are 32-bit Windows executable files that function as proxy servers and implement a “Fake TLS”.
Another Android Package Kit (APK) file designed to run on Android platforms is also found, that works as a fully functioning Remote Access Tool (RAT).
Impact
- Information Theft
- Unauthorized Remote Access
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 4257bb11570ed15b8a15aa3fc051a580eab5d09c2f9d79e4b264b752c8e584fc
- c01dc42f65acaf1c917c0cc29ba63adc
- 93e13ffd2a2f1a13fb9a09de1d98324f75b3f0f8e0c822857ed5ca3b73ee3672
- 22082079ab45ccc256e73b3a7fd54791
- d1f3b9372a6be9c02430b6e4526202974179a674ce94fe22028d7212ae6be9e7
- c6f78ad187c365d117cacbee140f6230
- edd2aff8fad0c76021adc74fe3cb3cb1a02913a839ad0f2cf31fdea8b5aa8195
- d93b6a5c04d392fc8ed30375be17beb4
- 91650e7b0833a34abc9e51bff53cc05ef333513c6be038df29929a0a55310d9c
- 2733a9069f0b0a57bf9831fe582e35d9
- 7cf5d86cc75cd8f0e22e35213a9c051b740bd4667d9879a446f06277782bffd1
- 0ba6bb2ad05d86207b5303657e3f6874
- a1260fd3e9221d1bc5b9ece6e7a5a98669c79e124453f2ac58625085759ed3bb
- 8d9123cd2648020292b5c35edc9ae22e
Remediation
- Block the threat indicators at their respective controls.
- Do not download files/software from random sources on the internet.
- Always scan files prior to execution.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Restrict users’ ability (permissions) to install and run unwanted software applications.
- Be cautious about email attachments even if they look harmless.