Rewterz Threat Advisory – ICS: OSIsoft PI System Multiple Vulnerabilities
May 13, 2020Rewterz Threat Alert – BackConfig Malware Targeting Government and Military Organizations in South Asia
May 14, 2020Rewterz Threat Advisory – ICS: OSIsoft PI System Multiple Vulnerabilities
May 13, 2020Rewterz Threat Alert – BackConfig Malware Targeting Government and Military Organizations in South Asia
May 14, 2020Severity
Medium
Analysis Summary
Cybercriminals are theming their malspam campaigns to take advantage of the current global pandemic. Researchers have published a report, which indicates that the majority of coronavirus and COVID-19 themed malspam, delivers infostealing malware. The malware payloads delivered changed over time and location, but the most common category which the detected malware fell into was the infostealing category. Researchers also said that weekdays are the most active for these campaigns, with campaigns frequently being launched on a Monday. Lokibot was the most common and persistent payload whereas in the North American region, the payloads tended to be more diverse with a more even spread of various infostealers. The malware noted in the various campaigns included, but is not limited to, Agent Tesla, the 404 Keylogger, Hawkeye, Lokibot, and TrickBot.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
Email Subject
- COVID-19 VACCINE UPDATE
- The measures BOBST has taken regarding the Coronavirus expansion
- AWARENESS NOTICE ON CORONAVIRUS(COVID-19)
- COVID-19[:] Copy of Transfer Receipt From Our Bank
- The measures BOBST has taken regarding the Coronavirus expansion
- UPDATE [:] BUSINESS CONTINUITY PLAN ANNOUNCEMENT 2020 DUE TO CORONAVIRUS (COVID-19
- Re[:] Arrival notice – M/V Corona Triton
Filename
- W[.]H[.]O WORLD COVID-19 UPDATES_doc[.]exe
- W[.]H[.]O WORLD COVID-19 UPDATES_doc[.]r00
- AWARENESS NOTICE ON CORONAVIRUS COVID-19 DOCUMENT_pdf[.]exe
- Letter_to_customers_covid-19_pdf[.]exe
MD5
- b33b2a3108d51644d37c16bf604024b2
- 9498ba71b33e9e9e19c352579e0d1b0a
- e602d86250e0bddada3bde70bc252c02
SHA-256
- e12075ae545ee8b6d2981c5f51c857974fbeeba4791a55b13a3a51c2c7394f9f
- da26ba1e13ce4702bd5154789ce1a699ba206c12021d9823380febd795f5b002
- f1ba59863abc7d03f67577aa4b75ab121608c76433981f394651f2b327914e9c
SHA1
- eeedb19aa357725a0300ca82fc6708406443ace6
- 39419cf0c4a2aec86db7e87aaecf2972ed7cddb6
- 9a46dfeb88cadf9734bf736289123d990d284a40
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.