Rewterz Threat Advisory – CVE-2020-14307 – Red Hat JBoss Enterprise Application Platform denial of service
July 27, 2020Rewterz Threat Alert – WastedLocker Ransomware
July 27, 2020Rewterz Threat Advisory – CVE-2020-14307 – Red Hat JBoss Enterprise Application Platform denial of service
July 27, 2020Rewterz Threat Alert – WastedLocker Ransomware
July 27, 2020Severity
Medium
Analysis Summary
Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam – copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable. This screen locker ransomware variant locks the user’s screen and demand a ransom rather than the typical file encryption style ransomware. The ransom demanded in this case was in the form of Google Play Cards.The scam starts with an email. Recently, have seen an email spam campaign pretending to be an important update for your computer. The email “From:” address is: help@supportwindows followed by some digits.
In the first email sample, the hyperlink provided will directly download a batch file, WindowsUpdate.bat
In the second email sample, the hyperlink uses a short URL service that leads to a WordPress website. Should the victim click the hyperlink provided by the second email sample will redirect to the WordPress web page.
Either the computer boots up and startup1.vbs is triggered, or License2.vbs is executed from the key.rar archive. The victim is now tricked into thinking that their computer is ‘blocked’.
Impact
Locks user out of the screen
Indicators of Compromise
Domain Name
- whoawarenesscom
MD5
- 955bd1ee3b36e899fa441aaa29c7f985
- f76e9acabae09d12c1221e56603c754d
- fb2efa0a781d7911556737768814f4ee
- 3df65471e9741d55084780b92719834f
- 2b7ff12f582c1137396461671dc229f7
SHA-256
- 3510bc9d565f3e27acc29409bbb8d4bae9140c5feaaa504bde67c47215b67bb2
- cfab028441cb2026305ad78a65f564ef9275d0f58dfab36ea02da6686744ea72
- 10c4706b75bc612727713307ba0fdbb981bf9677218150e5ed39c6953c211048
SHA1
- d5e30fbc7f9e7976be8c77682c0ae15fd08ad8dc
- 9558fde1521e01f61fab82b51ce5be3162917e61
- d32b802d542138ddb5f812d06077215dd82cbd98
- 2ddb6a50937364386ddeffcf5bd2dfb53cf49d53
- 094007daaa2854bf22f6fd2750caa33ce97fbcc3
URL
- http[:]//whoawarenesscom/?page_id=93
- http[:]//whoawarenesscom/?page_id=93
- http[:]//whoawarenesscom/WindowsUpdatebat
- http[:]//whoawarenesscom
- http[:]//whoawarenesscom/?smd_process_download=1&download_id=82
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.