• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New ‘Duri’ Campaign Uses HTML Smuggling to Deliver Malware
August 19, 2020
Rewterz Threat Alert – Cryptomining DDoS Malware Lucifer targets Windows and Linux
August 20, 2020

Rewterz Threat Alert – IcedID Trojan Rebooted with New Evasive Tactics

August 19, 2020

Severity

High

Analysis Summary

Threat actors have enhanced a banking trojan that has been widely used during the COVID-19 pandemic with new functionality to help it avoid detection by potential victims and standard security protections. The latest version of IcedID identified by the Juniper team is being distributed using compromised business accounts where the recipients are customers of the same businesses. The malware has evolved over the years and already has a history of clever obfuscation. For instance, it resurfaced during the COVID-19 campaign with new functionality that uses steganography, or the practice of hiding code within images to stealthily infect victims, as well as other enhancements.

The phishing emails are sent to potential victims from the accounting department and purported to include an invoice. The attachment is a password protected zip file named request.zip. The password protection is to prevent anti-malware analysis solutions from decrypting and inspecting the attachment. The password is included in the email message body, in the hopes that the victim would read the email, locate the password and use it to open the attached file.

phishing1.png

The user finds a Microsoft Word document that contains a macro that executes upon opening the document. There is the usual social engineering attempt to get victims to enable macros, which claims the document was created with a previous version of MS Word, in this case. Once macros are enabled, the VB script will download a DLL, save it as a PDF and install it as a service using regsvr32 to guarantee persistence.

document_macro-1024x282.png

Impact

  • Information theft
  • Exposure of sensitive data

Indicators of Compromise

IP

  • 185[.]43[.]4[.]241

SHA-256

  • 2beadfb91e794860aad159dcca1c94855a99b9bc908d03d10cea005dad652422
  • d80dc6c07eedf0cbccedf9427accef8bcb067b9dc1eaf4f81b9ee968854eb176
  • 78fd08878d1f5025ecf7dcf1f0460a4d00f7c50ea281b35c190cd3f8aecf61af
  • 9b0ff58ddedd7a78e3b8f28c9c5a4934ea9f4dc530d57cc7715bdca6687590fc
  • dc6452b6b0683223c0d87970c600ebbda3ed6c4dab14649beff12be59842f59c
  • 469fc41ba6d15f2af6bcf369e39c5c06b8bb5d991c008efadbfd409d096e911b

URL

  • http[:]//3wuk8wv[.]com/

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.