Rewterz Threat Alert – Payment Service Platform Phishing
November 28, 2019Rewterz Threat Alert – KingMiner Cryptocurrency Mining Malware
November 28, 2019Rewterz Threat Alert – Payment Service Platform Phishing
November 28, 2019Rewterz Threat Alert – KingMiner Cryptocurrency Mining Malware
November 28, 2019Severity
High
Analysis Summary
Cyberbit has released a report on a Remote Administration Tool (RAT) called Dtrack that was used in an attack on the Indian nuclear power plant (Kudankulam Nuclear Power Plant or KNPP for short) in what appears to be an APT attack. The North Korean threat group Lazarus (tracked internally as ITG03 by IBM), also widely known as HIDDEN COBRA, is believed to have authored Dtrack. Internal credentials for KNPP’s network were hard-coded into the version of Dtrack examined implying it was the second phase of a targeted attack. Along with the Dtrack variant, three droppers were also found in the network that share techniques similar to those used by the banking trojans, BackSwap and Ursnif. BackSwap inserts itself into legitimate applications, such as OllyDbg, 7-Zip and FileZilla. This has an advantage in that the icon and program details appear to be legitimate. The Ursnif variant found was compiled without the NX-bit set. This allows the malware to execute code directly from its heap or stack.
Impact
Exposure of sensitive information
Indicators of Compromise
SHA-256
- 16fe4de2235850a7d947e4517a667a9bfcca3aee17b5022b02c68cc584aa6548
- 58fef66f346fe3ed320e22640ab997055e54c8704fc272392d71e367e2d1c2bb
- 6bb85a033a446976123b9aecf57155e1dd832fa4a7059013897c84833f8fbcf7
- 9d9571b93218f9a635cfeb67b3b31e211be062fd0593c0756eb06a1f58e187fd
- bfb39f486372a509f307cde3361795a2f9f759cbeb4cac07562dcbaebc070364
- fe51590db6f835a3a210eba178d78d5eeafe8a47bf4ca44b3a6b3dfb599f1702
Remediation
- lock all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.