Rewterz Threat Alert – Kimsuky Group – IOC’s
October 11, 2019Rewterz Threat Alert – Adwind Campaign targeting Petroleum Sector
October 14, 2019Rewterz Threat Alert – Kimsuky Group – IOC’s
October 11, 2019Rewterz Threat Alert – Adwind Campaign targeting Petroleum Sector
October 14, 2019Severity
High
Analysis Summary
The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.
Impact
Financial loss
Indicators of Compromise
Malware Hashes
MD5
af2f4142463f42548b8650a3adf5ceb2
a67d6e87283c34459b4660f19747a306
SH256
8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0
18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5
SHA1
a873f3417d54220e978d0ca9ceb63cf13ec71f84
09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.