Rewterz Threat Advisory – CVE-2020-3956 – VMware Cloud Director updates address Vulnerability

May 21, 2020

Rewterz Threat Alert – COVID-19 GuLoader Spike

May 26, 2020

Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

May 21, 2020

Severity

High

Analysis Summary

Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia in two different campaigns where likely the target of both campaigns was data exploration and exfiltration. In the Kuwait attack, threat actors created their own user account and in the Saudi Arabia attack relied on social engineering to compromise victims

Kuwait attack

The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on). Once they gained a foothold inside the company, they started to install custom modules: a modified Plink (wehsvc.exe) installed as a service, as well as a backdoor (imjpuexa.exe), which was also executed as a service on some machines.

Saudi Arabia attack

The initial compromise was achieved through social engineering. The RAT component was located in the %Download% folder, which is the default folder for any download process, while its parent process was actually explorer. exe; indicating that the user executed the malicious file. Also, the RAT was executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). Internal network reconnaissance seems to have been performed using the “etblscanner.exe” tool. We also spotted the use of three different RAT components.

Impact

Data exfiltration

Indicators of Compromise

MD5

efbd849619aee8bd3429dd9ccb2a1995
dd9589b206791307d25e63d793c2ca31
dc5695024cd23c90883db145cb236490
d0e74da12c5e8d35f6db1ae0c60748b7
894fd325751465d6f48c17106a1a91d1

SHA-256

5ee9873c3c8684ac097bd28d3caf4264c6da6aa6acfeb8f6e72f1a99215a4be8
710e32af0d41a6701d57337701b091b158add04a601b68cca67a808bdd87d881
d965352c6632e694b8f1f62f96874bd0df8d7c128c465ee9a76eb86ebddb0c02
11dbfb390f7008524e523da7d0cda61723584082fc91ff96d1148c4aac6198a0
c839e886b98d2c752a134e888dad40799cd9966f8a73b51edc85ca2d72f99616
144a160c57c2d429d072046edfdd1b44ff22bcae4f0535732f6c2b19190f2f35
508ba7971b1f7651ba7d26815f75d66977820bd4eb3a615e3ab7079058d80380
f991cadf11c5075f0ed6f381dfdac311cf59480962debf8b874f95e9bee5c4f2
021813c78cf31b0d7e77b40374347d8ed4e5a5ca69a7fc29bbc7bff969c09f3c
b297a0b2e775f096d9ebda6130abbb5ec59813c7703159ea191b47d7b7293e1e
a1f5c72721f9aa2ca29f1de7645a64b505c05dcd53dbdd7b9e904b1627c6d578
98a9b2329eefe618daa78b6afed82cebf40cb918ad0aae7a8d7f59af4cb13b41

SHA1

aa0992ad9203168184a0f41e40ac901ec3f68afb
1b3c5d8a2844b6e0c839a670065e59a7cee05474
8eb9bfc25faf12ce359cef2fbddb8db4d9f5bfd7
b90205c684255ac11e0384af1fc7718573754f68
06461f22ef82e993f055024891ff735c910421ad

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

CVE-2024-32638 – Apache APISIX Vulnerability

Multiple SAP Products Vulnerabilities

Multiple IBM Products Vulnerabilities

Threat Insights

About Us

Our Leadership

CSR

Connect with Us