November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Maze Ransomware Targets State-owned oil Company of Algeria
April 6, 2020Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit
April 7, 2020Maze Ransomware Targets State-owned oil Company of Algeria
April 6, 2020Rewterz Threat Alert – Coronavirus-Themed Domain Hosts a Phishing Kit
April 7, 2020
Severity
High
Analysis Summary
A packer dubbed Loncom (Trojan-Dropper.NSIS.Loncom) which incorporates NSIS and Microsoft Crypto API (both legitimate software packages) disguise of an update for an expired security certificate to pack and encrypt APT ready malware. Once the shellcode is extracted on a victim’s system, it begins decrypting the payload from the archive and executes it. To do this, information from the NSIS script is used to decrypt the payload. Malware discovered packed by Loncom included Mokes, Buerak, DarkVNC (also known as REvil, a VNC backdoor), and Sodin (also known as Sodinokibi, ransomware).
Impact
- Exposure of sensitive data
- Gain access of victim’s system
Indicators of Compromise
MD5
- BB00BA9726F922E07CF243D3CCFC2B6E
- EBE191BF77044961684DF51B88CA8D05
- 4B4C98AC8F04680F7C529956CFE8519B
- AEF8FBB5C64734093E78EB13E6FA7849
SHA-256
- 64bc66f669abd4538e917fc60aa7ec95008dfb80a61c6864082fe022cd861c25
- 8e08192cee6bfb065e9750e0457aaaf81849fac2adae1cb73147ead7949c56d2
- 86f0a102ed4a4f82f843484cc045df5bea53118d25496086a68a7f791a3ab27b
- 64bc66f669abd4538e917fc60aa7ec95008dfb80a61c6864082fe022cd861c25
SHA1
- 22f26496f2e8829af9f5cfcd79c47e03fe9a21bb
- 4aa25662e4e59877cb94cc1d18aafd304ca1ca2e
- e6dccf4b1fc5ab116b6bc1321346b35dbf42f387
- 22f26496f2e8829af9f5cfcd79c47e03fe9a21bb
Remediation
- Block all threat indicators at your respective controls.
- Check for IOC’s in your environment.