Rewterz Threat Advisory – ICS: Honeywell Maxpro VMS & NVR
January 22, 2020Rewterz Threat Alert – Increased Activity of Emotet
January 23, 2020Rewterz Threat Advisory – ICS: Honeywell Maxpro VMS & NVR
January 22, 2020Rewterz Threat Alert – Increased Activity of Emotet
January 23, 2020Severity
High
Analysis Summary
Identification of new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015 is back. The new malware samples have lower detection rates than their predecessors. This might be because of malware ceased its operation in 2016 after it was reported. In the current context, Rekoobe have resumed their operations utilizing a newer version of the malware.
Technical Analysis
the new variants are statically compiled ELF binaries while older variants were dynamically compiled.This undeniably implies that on a code level these two generations of the same malware are different. Since the compilation flags used by the GCC compiler differ between dynamically and statically linked code, the compiler will generate different code accordingly.
In previous Rekoobe variants, the malware would initially collect some preliminary configuration saved in disk, masquerading this configuration to be a shared object, However, in the new variants, the need for this configuration file has been completely removed, having hard-coded the subject artifacts previously dependent on the configuration file.
Impact
Download user files
Indicators of Compromise
Domain Name
huawel[.]site
Hostname
7xin[.]bitscan[.]win
IP
- 119[.]3[.]22[.]174
- 96[.]45[.]187[.]113
MD5
- f34119a442651945d5efb33db8901d9b
- 4b45e601d480124c38be06a706f7d8f4
SHA-256
- 2e2dc0328f6c19b033bb19c24e59e354e519606958afb93fd8049d162a8e3edd
- c9eb46d00e11acb354b518f725412b88c69cc511ec8d5bd3cb03c1740f8a2936
- 7148ae1ab45e17889915100fdc203fe7941d8e9b946d44a3989ab8baeb6066e1
- 80e5fec19843c32c6c3fc38aabdeb428c339b0dfce28023529144405b9c72b33
- e63c2e35a41c51e33b246f5b60c5d1b8da0d8c50bf7ec592383b61818217e8d7
- 1d0591049a65db6508a9517f72954541ef6b5a7fe9153c5edcb1bac1b70b991c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.