Rewterz Threat Alert – IPStorm Botnet Targets Android OS, Linux and Windows
October 19, 2020Rewterz Threat Advisory – CVE-2020-27194 – Linux Kernel scalar32_min_max_or function denial of service
October 19, 2020Rewterz Threat Alert – IPStorm Botnet Targets Android OS, Linux and Windows
October 19, 2020Rewterz Threat Advisory – CVE-2020-27194 – Linux Kernel scalar32_min_max_or function denial of service
October 19, 2020Severity
High
Analysis Summary
Earlier this month, a malware family called SlothfulMedia was found targeting victims in multiple countries. The malware family was attributed to a sophisticated threat actor. This C++ backdoor is the first element of this toolset. It comes in EXE or DLL variants, and it was distributed through spear-phishing e-mails containing malicious Word documents. The infection process relies on a PowerShell script that downloads from a remote server a base64-encoded payload hidden in an image file. The threat actor termed IAmTheKing uses different toolsets like SlothfulMedia, KingofHearts and QueenofHearts, etc.
Rather than developing sophisticated features, the malware developers instead opted to include anti-debugging and virtualization detection routines. Communications with the C2 server take place over HTTP(S), implemented with the wsdlpull open source library. The backdoor looks for new orders every second by sending a heartbeat to the C2 (the “HEART” command, hence the name).
We identified two main development branches: one of them sends url-encoded POST data, and the other one sends JSON objects. Both have been used concurrently and otherwise display the same capabilities. Victims targeted by this threat actor include government bodies and defense contractors, public agencies for development, universities and companies in the energy sector. Attacks were seen in Russia, Eastern Europe, Central Asia, as well as India, Ukraine and Malaysia.
Impact
- Remote Code Execution
- Unauthorized Remote Access
- Data Manipulation
- Process Termination
- Credential Theft
Indicators of Compromise
MD5
- 97c6cfa181c849eb87759518e200872f
- 29aa501447e6e20762893a24bfce05e9
- 4bbd5869aa39f144faddad85b5eeca12
- 096f7084d274166462d445a7686d1e5c
- 4076ddaf9555031b336b09ebab402b95
- 7db4f1547d0e897ef6e6f01ecc484314
- 4e2c2e82f076ad0b5d1f257706a5d579
- 00e415e72a4fc4c8634d4d3815683ce8
- ab956623b3a6c2ac5b192e07b79cbb5b
- 90ef53d025e04335f1a71cb9aa6d6592
- 60d78b3e0d7ffe14a50485a19439209b
SHA-256
- b0a1da4fc5526365df495094f65660d88487ce5e60192e5fb4075e815f9481d3
- f110ebee387c2dfac08beb674a8efec20940bc562c5231e9bb4a90296476c29f
- 8d4b46cefdfe68f3ad53b53d1d26f60d4361868554f50ccdd7f482e9d0c95ccf
- 301f5125ea24dc82022e2f9f59418523a19b0cefc5546345e1ae624c11add1cf
- f441e6239b592ac15538a8ba8903e5874283b066050a5a7e514ce33e84237f4e
- 445102a3b23335779722f13a41a9b651061ab7148cead7eeb9ee3acca9d5bf0c
- 6c9a40572d66c58abe6c1baf33e27a19f5493c3b74a03d35a62d5e8062948a86
- a63600e5c28a4c1770a53d310ff017abd3cb9c20cb58a85d53df0c06bcae1864
- 4c6995cb65ffeac1272d296eb3273b9fbca7f4d603312a5085b5c3be96154915
- 4d99bcc5bf01b4e3763550fbae09ab65cd833422b7c7ba61cc1b3c79a8bc4e97
SHA1
- 1ad7eee85c8f1b360cdbcd0ef7c1aee48ee1462a
- 36f6a5012e664fd91fb187d15af7435c424918ce
- 946367e507b9c039558492f6721d059e2c477c67
- 6f862af62041a46a043ca6342bb3da5084b19b10
- 225f90a5a3fa3a308297abd007f76a750b875a5d
- b8b7841a97e990f8e20665ca742415d328c0b392
- 7bb8125433e69b0c0722a17ddee54b144e34fe1d
- ae324efa7b2c04f19062de8d152d3bb83da8e763
- 7ae67b1fff354544e0d3ff150690e79c3691a227
- bc975e4fb9ca2fb544e66036c70c322c3393022e
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Keep all systems and software updated to latest patched versions.