Rewterz Threat Alert – New ‘Duri’ Campaign Uses HTML Smuggling to Deliver Malware
August 19, 2020Rewterz Threat Alert – Cryptomining DDoS Malware Lucifer targets Windows and Linux
August 20, 2020Rewterz Threat Alert – New ‘Duri’ Campaign Uses HTML Smuggling to Deliver Malware
August 19, 2020Rewterz Threat Alert – Cryptomining DDoS Malware Lucifer targets Windows and Linux
August 20, 2020Severity
High
Analysis Summary
Threat actors have enhanced a banking trojan that has been widely used during the COVID-19 pandemic with new functionality to help it avoid detection by potential victims and standard security protections. The latest version of IcedID identified by the Juniper team is being distributed using compromised business accounts where the recipients are customers of the same businesses. The malware has evolved over the years and already has a history of clever obfuscation. For instance, it resurfaced during the COVID-19 campaign with new functionality that uses steganography, or the practice of hiding code within images to stealthily infect victims, as well as other enhancements.
The phishing emails are sent to potential victims from the accounting department and purported to include an invoice. The attachment is a password protected zip file named request.zip. The password protection is to prevent anti-malware analysis solutions from decrypting and inspecting the attachment. The password is included in the email message body, in the hopes that the victim would read the email, locate the password and use it to open the attached file.
The user finds a Microsoft Word document that contains a macro that executes upon opening the document. There is the usual social engineering attempt to get victims to enable macros, which claims the document was created with a previous version of MS Word, in this case. Once macros are enabled, the VB script will download a DLL, save it as a PDF and install it as a service using regsvr32 to guarantee persistence.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
IP
- 185[.]43[.]4[.]241
SHA-256
- 2beadfb91e794860aad159dcca1c94855a99b9bc908d03d10cea005dad652422
- d80dc6c07eedf0cbccedf9427accef8bcb067b9dc1eaf4f81b9ee968854eb176
- 78fd08878d1f5025ecf7dcf1f0460a4d00f7c50ea281b35c190cd3f8aecf61af
- 9b0ff58ddedd7a78e3b8f28c9c5a4934ea9f4dc530d57cc7715bdca6687590fc
- dc6452b6b0683223c0d87970c600ebbda3ed6c4dab14649beff12be59842f59c
- 469fc41ba6d15f2af6bcf369e39c5c06b8bb5d991c008efadbfd409d096e911b
URL
- http[:]//3wuk8wv[.]com/
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.