Rewterz Threat Alert – Lemon_Duck Crypto-miner Targets Cloud Apps & Linux
August 28, 2020Rewterz Threat Alert – Emotet Epoch 3 botnet Deploys Trickbot and Qakbot
August 28, 2020Rewterz Threat Alert – Lemon_Duck Crypto-miner Targets Cloud Apps & Linux
August 28, 2020Rewterz Threat Alert – Emotet Epoch 3 botnet Deploys Trickbot and Qakbot
August 28, 2020Severity
High
Analysis Summary
An APT mercenary group is believed to be behind a cyber espionage campaign involving the industrial sector. The attack in question is believed to involve the acquisition of financial information or the negotiation of high-profile contracts. These groups offer their services to the highest bidder. Their techniques are sophisticated and powerful. The company targeted in this campaign is involved with architectural projects in New York, London, Australia, and Oman. It is hypothesized that due to the sophistication of the attack, the group had prior knowledge of the company’s security posture. Using a malicious plugin for Autodesk 3ds Max, the group was able to infiltrate the company. Prior to infiltration, the group conducted tests against the company’s security by deploying a payload in an effort to avoid detection upon infiltration. The plugin, PhysXPluginMfx, has the ability to corrupt 3ds Max to run malicious code and propagate MAX files. The file is encrypted with Autodesk’s specific encryption script and contains an embedded DLL file. The script begins with HTTP POST requests and executes responses in memory. Furthermore, a periodic job is created to clean certain maxscripts which are known to cause issues with the malicious file(s). Code is then downloaded from the C2 and executed. Lastly, the script contains code to implement persistence. This is done via a hidden file in the startup folder of the 3ds Max software. Information is collected from the victim machine and encrypted with a custom algorithm so it appears to be base64 content. More files are downloaded from the C2 at this point, which are used to evade detection by modifying timestamps, applying hidden attributes, and clean up of ALC/CRP third-party maxscripts. Other binaries are downloaded from the C2 server to collect screenshots, passwords, and browser history. The attackers use HdCrawler (used to list, compress, and upload files) and InfoStealer (B4E6HVVnCvY.dll).
Impact
- Unauthorized remote code execution
- Information theft
- Detection evasion
Indicators of Compromise
SHA-256
- d6ad1e0b11a620ed4df39255ffff11a483687d7038d6c76b938d15add54345fa
- 2d934a705638acd3fcb44f66a9a1633c27231550113f20df6061c10b1aa6e9f6
SHA1
- 3fe7d1a0aed95efd1759bb1c7b9e08064998bdee
- 4727e029a7abc21130311ddb1c047badd6fc1223
Source IP
- 175[.]197[.]40[.]61
URL
- http[:]//175[.]197[.]40[.]61[:]3445/l
- http[:]//175[.]197[.]40[.]61[:]3445//Public/Find_Crp
- http[:]//175[.]197[.]40[.]61[:]3445/Public/fixAll
- http[:]//175[.]197[.]40[.]61[:]3445/YkSxBJVz
- http[:]//175[.]197[.]40[.]61[:]3445/Public/Find_Alc
- http[:]//175[.]197[.]40[.]61[:]3445/Public/NlWuLNUDzqM
- http[:]//175[.]197[.]40[.]61[:]3445/FRNuzqJIZyb
- http[:]//175[.]197[.]40[.]61[:]3445/n
- http[:]//175[.]197[.]40[.]61[:]3445/grhL1wCYAhf
- http[:]//175[.]197[.]40[.]61[:]3445/TYEHVSjn2Ny
- http[:]//175[.]197[.]40[.]61[:]3445/r
- http[:]//175[.]197[.]40[.]61[:]3445/eYOMAHg
- http[:]//175[.]197[.]40[.]61[:]3445/b
Remediation
- Block the threat indicators at their respective controls.
- Keep unused and unnecessary plugins deactivated.