Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020Rewterz Threat Alert – Covid-19 Threat Actors Impersonating CDC, WHO
March 31, 2020Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020Rewterz Threat Alert – Covid-19 Threat Actors Impersonating CDC, WHO
March 31, 2020Severity
High
Analysis Summary
The Kwampirs RAT is a modular RAT worm that gains system access to victim machines and networks. This broad and targeted access to victim companies is meant to enable follow-on computer network exploitation (CNE) activities. The RAT is used by the OrangeWorm threat actor. Heavily targeted industries include healthcare, software supply chain, energy, finance, judiciary and engineering across Asia, America, Middle East and Europe. Similarities with the data destruction malware Shamoon have been seen. During enterprise infections, daily communication with Command and control servers was seen. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets. Lateral movement via shared network and shared resources is observed. This campaign is a two-phased approach. The first phase establishes a broad and persistent presence on the targeted network, to include delivery and execution of secondary malware payload(s). The second phase includes the delivery of additional Kwampirs components or malicious payload(s) to further exploit the infected victim host(s).
Propagation, Persistence, Backdoor (Module 1):
Upon successful infection, the Kwampirs RAT propagates laterally across the targeted network via SMB port 445, using hidden admin shares such as ADMIN$ and C$. The malware maintains persistence on the infected Windows host by dropping a binary to the hard drive and creating a malicious Windows system service set to auto start upon reboot. The new malicious service scans and catalogs the host configuration, encrypts the data, and transmits it to an external Command and Control (C2) server via an HTTP GET request on port 80.
Module 2 executes additional Kwampirs RAT modular components on the infected host(s). These malicious components can allow for additional detailed collection of system and network interface configuration. This information is encrypted and transmitted to the C2 server via HTTP. Secondary module commands, to be highly targeted, and executed on critical business and / or network hosts, to include the
following:
- Primary Domain Controllers
- Secondary Domain Controllers
- Engineering & Quality Assurance / Testing workstations
- Primary Source Code servers
Secondary Modules executed on the victim host(s), include the following additional commands being executed, resulting in much deeper and thorough reconnaissance on the targeted entity. Targeted software supply chain vendors share some of the following business and operations attributes:
- Global imaging business products/services that are multi-industry;
- Product co-development and corporate alliances with worldwide software companies;
- Product co-development and corporate alliances with companies in the Enterprise
- Resource Planning (ERP) industry;
- Products and services supporting ICS maintenance functions, with strong business presence in the Healthcare and Energy sectors.
Significant intrusion vectors include the following:
- During mergers and acquisition(s), infections from one company have moved laterally into the acquiring company once the networks are connected;
- During the software co-development process, malware has been passed between multiple entities through shared resources;
- During the software co-development process, shared internet facing resources have infected co-development participants;
- Software supply chain vendors infected device(s) installed on the customer/corporate LAN or customer/corporate cloud infrastructure.
Impact
- Computer network Exploitation
- Data Exfiltration
- Unauthorized remote access
- Confidentiality breach
Indicators of Compromise
MD5
- 0240ed7e45567f606793dafaff024acf
- 047f70dbac6cd9a4d07abef606d89fb7
- 0240ed7e45567f606793dafaff024acf
- 2ae53de1a1f65a6d57e96dab26c73cda
- 47345640c135bd00d9f2969fabb4c9fa
- cb9954509dc82e6bbed2aee202d88415
- cb9954509dc82e6bbed2aee202d88415
- b680b119643876286030c4f6134dc4e3
- fac94bc2dcfbef7c3b248927cb5abf6d
- 856683aee9687f6fdf00cfd4dc4c2aef
- 847459c8379250d8be2b2d365be877f5
- fac94bc2dcfbef7c3b248927cb5abf6d
- fac94bc2dcfbef7c3b248927cb5abf6d
- cb9954509dc82e6bbed2aee202d88415
- 6277e675d335fd69a3ff13a465f6b0a8
- 847459c8379250d8be2b2d365be877f5
- 3bedc1c4c1023c141c2f977e846c476e
- ce3894ee6f3c2c2c828148f7f779aafe
- 3b3a1062689ffa191e58d5507d39939d
- 47345640c135bd00d9f2969fabb4c9fa
- 3bedc1c4c1023c141c2f977e846c476e
- 6277e675d335fd69a3ff13a465f6b0a8
- 856683aee9687f6fdf00cfd4dc4c2aef
- cb9954509dc82e6bbed2aee202d88415
- fac94bc2dcfbef7c3b248927cb5abf6d
- 847459c8379250d8be2b2d365be877f5
- cb9954509dc82e6bbed2aee202d88415
- 856683aee9687f6fdf00cfd4dc4c2aef
- cb9954509dc82e6bbed2aee202d88415
- 7e5f76c7b5bf606b0fdc17f4ba75de03
- 177bece20ba6cc644134709a391c4a98
- fac94bc2dcfbef7c3b248927cb5abf6d
- fac94bc2dcfbef7c3b248927cb5abf6d
- 3b3a1062689ffa191e58d5507d39939d
- b59e4942f7c68c584a35d59e32adce3a
- 81e61e5f44a6a476983e7a90bdac6a55
- ec968325394f3e6821bf90fda321e09b
- 01cf05a07af57a7aafd0ad225a6fd300
- d57df638c7befd7897c9013e90b678f0
- 5c3499acfe0ad7563b367fbf7fb2928c
- 4b91ec8f5d4a008dd1da723748a633b6
- 134846465b8c3f136ace0f2a6f15e534
- 9d2cb9d8e73fd879660d9390ba7de263
- 939e76888bdeb628405e1b8be963273c
- de9b01a725d4f19da1c1470cf7a948ee
- bb939a868021db963916cc0118aab8ee
- 3289c9a1b534a19925a14a8f7c39187c
- 9d3839b39d699336993df1dd4501892b
- 5c3499acfe0ad7563b367fbf7fb2928c
- fece72bd41cb0e06e05a847838fbde56
- bbd9e4204514c66c1babda178c01c213
- ee4206cf4227661d3e7ec846f0d69a43
- 290d8e8524e57783e8cc1b9a3445dfe9
Source IP
- 65[.]116[.]107[.]24
- 13[.]44[.]61[.]126
- 56[.]28[.]111[.]63
- 118[.]71[.]138[.]69
- 117[.]32[.]65[.]101
- 18[.]25[.]62[.]70
- 92[.]137[.]43[.]17
- 33[.]25[.]72[.]21
- 16[.]48[.]37[.]37
- 91[.]29[.]51[.]11
URL
- hxxp[:]//91[.]29[.]51[.]11/default/main[.]php?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//65[.]116[.]107[.]24/login/login[.]php?q=kt[REDACTED_BASE64_STRING]==
- hxxp[:]//13[.]44[.]61[.]126/main/indexmain[.]php?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//56[.]28[.]111[.]63/group/group/defaultmain[.]php?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//118[.]71[.]138[.]69/new/main/default[.]php?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//117[.]32[.]65[.]101/users/login[.]php?q=kt[REDACTED_BASE64_STRING]==
- hxxp[:]//18[.]25[.]62[.]70/groupgroup/default[.]php?q=kt[REDACTED_BASE64_STRING]==
- hxxp[:]//92[.]137[.]43[.]17/group/group/home/login/home[.]php?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//33[.]25[.]72[.]21/group/main[.]asp?q=KT[REDACTED_BASE64_STRING]==
- hxxp[:]//16[.]48[.]37[.]37/groupusers/default[.]php?q=kt[REDACTED_BASE64_STRING]==
Remediation
- Block the threat indicators at their respective controls.
- Closely monitor port 445 and port 80.
- Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities.
- Employ user input validation to restrict local and remote file inclusion vulnerabilities.
- Implement a least-privileges policy on the Web server to Reduce adversaries’ ability to escalate privileges or pivot laterally to other hosts and to Control creation and execution of files in particular directories.
- If not already present, consider deploying a demilitarized zone (DMZ) between the Webfacing systems and corporate network. Limiting the interaction and logging traffic between the two provides a method to identify possible malicious activity.
- Ensure a secure configuration of Web servers. All unnecessary services and ports should be disabled or blocked. All necessary services and ports should be restricted where feasible. This can include whitelisting or blocking external access to administration panels and not using default login credentials.
- Utilize a reverse proxy or alternative service to restrict accessible URL paths to known legitimate ones.
- Conduct regular system and application vulnerability scans to establish areas of risk.