Rewterz Threat Advisory – CVE-2021-21132 – Google Chrome DevTools security bypass
January 25, 2021Rewterz Threat Alert – Ursnif Banking Trojan – IOC’s
January 25, 2021Rewterz Threat Advisory – CVE-2021-21132 – Google Chrome DevTools security bypass
January 25, 2021Rewterz Threat Alert – Ursnif Banking Trojan – IOC’s
January 25, 2021Severity
High
Analysis Summary
Following samples of Lazarus group, an state sponsored threat actor targeting financially organizations for their gains have been active again and actively targeting different organizations via phishing emails dropping malicious word documents which enables macro when downloaded and executed. Previously these campaigns were specifically crafted to target Russian organizations but now they’ve shifted their tilt towards Asia pacific region.
Threat Analysis
- Small blue diamond Reused decoy and obfuscated macros
- Small blue diamond Loader compiled on 2021-01-12
- Small blue diamond Creates a bloated copy of msiexec.exe
- Small blue diamond Scheduled task with VBS for persistence
- Small blue diamond Indirect command execution with pcalua.exe
Impact
Information theft and espionage
Indicators of Compromise
Filename
NG-Opportunity[.]doc
MD5
e87b575b2ddfb9d4d692e3b8627e3921
SHA-256
f188eec1268fd49bdc7375fc5b77ded657c150875fede1a4d797f818d2514e88
SHA1
f675c0aa46a18a6026f0d541fce6a75688a018aa
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.