November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Advisory – Moxa EDR 810 Series Multiple Vulnerabilities
October 3, 2019Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic
October 4, 2019Rewterz Threat Advisory – Moxa EDR 810 Series Multiple Vulnerabilities
October 3, 2019Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic
October 4, 2019
Severity
High
Analysis Summary
Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.
The digital signature of this file matches the signature used on two Lazarus tools discussed in open source.
Operation
The injector expects four command line parameters to be present on operation:
– The path of the injector, which under normal circumstances is automatically part of the command line
– An integer value (1 or 2) that specifies the operational mode (inject or eject)
– A process identifier (PID) value that specifies a target process
– A path to the DLL to be injected into the target PID
The malware first checks that there are a total of four parameters present before validating their content. Next, it uses the PathFileExistsA API call to validate the path to the DLL to be injected. The injector also contains debugging messages. These items are all visible in the image below.
Next, the malware checks that an integer has been supplied as a PID and that either the integer 1 or the integer 2 have been supplied for the operational argument. Curiously, dynamic debugging suggests that the PID check will still pass as long as an integer is the first digit (for example, passing “94a” will still cause the malware to attempt to inject or eject a DLL from a process with an invalid PID, although this will fail the OpenProcess attempts).
Impact
Exposure of sensitive information
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
- 89081f2e14e9266de8c042629b764926
- 730c1b9e950932736fc4b02cbdb4e4e891485ac2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/ attachments sent by unknown senders.