Rewterz Threat Advisory – CVE-2019-1736 – Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability
June 2, 2020Rewterz Threat Alert – Ursnif Banking Trojan – IOCs
June 2, 2020Rewterz Threat Advisory – CVE-2019-1736 – Multiple Cisco UCS-Based Products UEFI Secure Boot Bypass Vulnerability
June 2, 2020Rewterz Threat Alert – Ursnif Banking Trojan – IOCs
June 2, 2020Severity
Medium
Analysis Summary
Researchers intercepted waves of incoming emails directed to many companies. These messages were leveraging FMLA (Family and Medical Leave Act) requests related to the ongoing CoronaVirus pandemics. These emails were weaponized with two versatile cyber-criminal tools: Himera and Absent-Loader. Loaders are a type of malicious code specialized in loading additional malware code into the victim’s machine. Sometimes, a loader can have “stealer” behavior, to opportunistically gatherer sensitive information even if they are not supposed to do that. Absent-Loader does that and despite its name behaves this way. In fact, stolen information market is definitely remunerative for cyber criminals: information gathered from infected systems are constantly sell in the underground, typically acquired by other, more structured criminal organization or also by business competitors.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
Filename
- Covid-19-PESANTATION[.]doc
MD5
- 4620c79333ce19e62efd2adc5173b99a
- 97fa1f66bd2b2f8a34aafe5a374996f8
- 4d2207059fe853399c8f2140e63c58e3
SHA-256
- 501ac08ebac646517b00d3234dfe58837b460bd5f045822d9fb5999f00979bfe
SHA1
- 0d33b65bee0ca5af8707a16f5a27570287ac111e
- 7fb3218b1ca76c379e08e7ce4942c2ead4c1e115
URL
- http[:]//195[.]2[.]92[.]151/ad/da/drop/smss[.]exe
- http[:]//195[.]2[.]92[.]151/ad/da/gate[.]php
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/ attachments sent by unknown senders.