Rewterz Threat Alert – LockBit Ransomware Targeting Networks
October 22, 2020Rewterz Threat Alert – Egregor Ransomware – IoCs
October 23, 2020Rewterz Threat Alert – LockBit Ransomware Targeting Networks
October 22, 2020Rewterz Threat Alert – Egregor Ransomware – IoCs
October 23, 2020Severity
High
Analysis Summary
Evilnum group’s operations appear to be highly targeted towards the financial sector with a focus on the FinTech market. The attack begins with a phishing email that has a malicious file attached with it. When the attached documents are opened, they execute a dropper that performs scheduled tasks. The group recently showed some variations including a change in the chain of infection and persistence, new infrastructure that is expanding over time, and the use of a new Python-scripted Remote Access Trojan (RAT) Nocturnus dubbed PyVil RAT. PyVil RAT possesses different functionalities, and enables the attackers to exfiltrate data, perform keylogging and the taking of screenshots, and the deployment of more tools such as LaZagne in order to steal credentials. It uses modified versions of legitimate executables employed in an attempt to remain undetected by security tools. The infection chain shows a shift from a JavaScript Trojan with backdoor capabilities to a multi-process delivery procedure of the payload. Unlike previous versions that possessed an array of functionalities, this version of the JavaScript acts mainly as a dropper and lacks any C2 communication capabilities.
Impact
- Data Exfiltration
- Information Theft
- Credential Theft
- Unauthorized Access
Indicators of Compromise
Domain Name
- coinzre[.]website
MD5
- b034972a9540b3b00161310f5bf03fc9
- d76f443222551edfe07b357c3bb157da
- fcce335ad11f4e568e6fe23ae766b187
- 2dbd582b909880eb446ed36e0129ad4b
- 7cfeb19c792c78c791367c89f74bc8ab
- abbfad043fb14ea3dc763b5421361bee
SHA-256
- fd50f667337214e27256a0a8053e321d54c61466dce61805bdf51ca47e89e567
- a53e5b8da9a397fbf3623969333fb7c58e7690e8dbd0f485c1d7861e3e07fe37
- 1820244e54dbb87ea21f6f1df15c3f255bfe3dd36db41fbf2f2e1f742a515063
- 4c355d1e1a2a10135aa2e2848790355bfbab2d64eb5dd95d7278cd8c0ffbf470
- 1be727ebce44e5c669b2b08ad06e9d99c02490f8bb7f59dda81050947d99b77a
- 8a73e6fc98e1864296684b9aa82a488590f3110efd5c6e47829642880fd1fc9c
SHA1
- 1c1d8d0af6aa728589c5d0d0f46c01b129c75ba0
- a7f1c2be87b5ee4392757948fb7c895cad95520b
- 976da2e8bdd698d974d38d01593897ca64946d92
- 1303eb76fe1f978c6bfb6ea28329e7cda61126af
- 7d9037377dc2a2e3fc1985983942d1e9f986aa42
- 240a27b0c1e9f6372b915cb57694c72c1211642b
Source IP
- 45[.]9[.]239[.]50
- 139[.]28[.]37[.]53
- 185[.]62[.]190[.]89
Remediation
- Block the threat indicators at their respective controls.
- Do not download files coming from unexpected/untrusted email addresses even if they look legitimate.