Rewterz Threat Alert – TA505 APT Group – Latest IOCs
July 8, 2020Rewterz Threat Advisory – Citrix ADC, Gateway and Citrix SD-WAN WANOP Multiple Security Vulnerabilities
July 9, 2020Rewterz Threat Alert – TA505 APT Group – Latest IOCs
July 8, 2020Rewterz Threat Advisory – Citrix ADC, Gateway and Citrix SD-WAN WANOP Multiple Security Vulnerabilities
July 9, 2020Severity
High
Analysis Summary
Researchers have found latest Agent Tesla malware, focusing on its newest infection chain, which uses a long and complex process to deliver the final payload. It starts with a phishing email with an RTF attachment. This RTF document contains file embedded OLE objects, which in turn each contain an OOXML package. Users are prompted by each of these objects to enable macros in order to execute the VBA code inside the OOXML packages. The VBA code is highly obfuscated to the point that it was unable to be analyzed by malware analysis tools. Manual debugging shows that, in combination, the VBA code parts build a PowerShell blob. This PowerShell is also obfuscated to hinder analysis. It has two purposes: bypass AMSI and download a file. The downloaded file is an Agent Tesla executable. It first establishes persistence via a scheduled task. It then disables task manager. Finally, it steal WiFi passwords and application credentials. These credentials are exfiltrated via SMTP using a hardcoded email address and password. The researchers note that a similar infection chain has been seen in the past, but it was previously distributing Lokibot.
Impact
- Credential theft
- Information theft
Indicators of Compromise
SHA-256
- 840a22c718e33120f6e47c310497148ca903912a46458fbf9f21edc8976074ce
- 842ad0c1407a7c87c9f76a7a55d56f36dfef501495f56dbad4d28f04b807b63a
- b0f8dd641769a080b640dbaa2666b5982344642335372ee4680fa5a6e771991d
- ce212984a9ed60ef6015bfb2f930a0f501a2f6f373c9fa68af54fe8f68d4de9e
- c03f438d814bd52be15b47743b44519263aaeded731dcfac7e9070628a41d70a
- 20ae23fa54d2f997c50f85b9977899255822fbe200e17d933b430561adcd1e12
- 859a9f0c613775907c2cda4d946159e7991ee6f9be430fe5658e95e7e5a0388b
- a60c7244206b635d18c244028c1b1dc4c07da716e0ff78529692bc667f117195
- 2bbc9c51a29557cf8934de723236bf2f5683391d3d57d7d86410221d30b53bd3
- 3fe1d15c026ad8fa1c510ac3d4982f38be59e84cef34119fff0aad6fad35bc54
- f11ee07c633a0ad6a88ec9cb3e798dda02d6459b5eb35eb00d403d8445b0c554
- 402f2be1b65ae460898ccbf47a475430cc5c64c548228481ad062934f6a85aa2
- eec9b14da6a2745f089361002429d13b044d66dedf944e951b39f9d243ae3df9
- 786f2eaa675e1ee953a159eb4a4ccb734b1adf16ede28dd7b801df9a612a4167
- fd26d992e3014118d345027e8a3c482519d75ef0fda12241d244e3a80abeda67
- 2f9d34c9752df5565c79ed5d0dab3e4c48f5c3de22f54180388a90e3e0b30c9a
- d8be93b858f4ddfe0f6dab717e269665a56d862b86781da908fafa31be2ec509
- 518eb357618f85a419cdeba49b45f8a98441a6a2df1edebb2376cd0a0e98f56f
- 256777b273432143492346edc89f678e386cb4569e8fd48645e28245977f5856
- 6d0636869e65966bbb79fb58a0af016e9af41420978a43b5c2eb1ed462a24724
- a114858d777f74faafadca52424a9fca33426dc5f3c4777453348e359115ac6d
- bf36d5e468b5c654a47ebf07b4a0ef9e192307674960f7fdf22d6e3cb3e85177
- 6189ddb04b9bbb45474ed48c6685d316c06458da3d9b430727ade08cc344f235
- dc1b5e7c4aeb32c2370fc03983502639d31c2c4fdecdb12b6248351daa38129a
- d7f2a3ec1aae489bc44b7819ce6f4e5029282b8f8d2064fccfe1804278c38d11
- d6779d721788c2826a9cd43cb01c3279c8aaca4a3210c5331125c08a9be32557
- 1a8ee2fcf777abbcc6d3eda5a52f5cdb2269cc8a6e7e339b01c04d47138bb702
- a16cdca08584f03a1deaefa94393914bb317e80bd2a2b9f5da7c0b4355a1fddd
- 52f2e17287a2f975d30fdda43b44c67b5f70a168ccf97696b7d95a962d46dd7a
- 167760bf97f12f6ef1d66ca2db17a5a0ed2d594f86f3d8716c83e7d66d502f3e
- 0d873ad2a42333ee77bb18bb92c920afe94fe3c108de28fc4bb89901eb12161c
- 8ac06f7b667d0ae9fc2e0940efba2d580af0dab54825275b7f85cb5ac37c6f05
- e5ade604474407fc742a5b99996b1aae86695493eb71d5fc2478fb78238a0799
- c4d7f76ca3ccc9a7f8763e4688cc2660a1164674f14c86fd384153b5e2fa566f
- b2c6e93875ed9728da141566603ad47a71a82d3867313744ceca367158c2b20c
- 356c459692775dae1f20998c5d39f51a4b94ac01de509fa609844eee8adab19f
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.