Rewterz Threat Update – Multiple IBM Security Vulnerabilities; Fixes and Patches
June 15, 2021Rewterz Threat Alert – Remcos RAT – Active IOCs
June 15, 2021Rewterz Threat Update – Multiple IBM Security Vulnerabilities; Fixes and Patches
June 15, 2021Rewterz Threat Alert – Remcos RAT – Active IOCs
June 15, 2021Severity
Medium
Analysis Summary
Microsoft observed a large number of attacks that use SEO poisoning Campaigns to deliver Remote Access Trojans (RAT) to steal confidential data. SEO poisoning Campaign is a relatively new and potent technique. And Microsoft Defender Antivirus has blocked and detected a large number of PDF files in different sectors that use this technique. SolarMaker RAT IS installed when users open a .doc file Or a .pdf file. Once the user clicks on the links, they will be redirected through 5 to 7 sites with top-level domains like .site, .tk, and .ga.
These pdf files are hosted on Amazon Web Services (AWS) and Strikingly primarily as noticed by Microsoft experts. SEO poisoning Campaign is delivering a fileless dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices. SolarMarker uses backdoor skills and allows operators to steal sensitive data from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop. In April, Information Security experts from different regions of the world discover over 100,000 unique web pages that contained popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume).
“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware,” states Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.“
Impact
- Exposure of Sensitive Data
- Credential theft
Indicators of Compromise
- in@jetclubs[.]biz
- ex@exdigy[.]ne
IP
- 92[.]118[.]149[.]238
MD5
- 7be0725643c89e332b0434536a96de50
- 22f39b13e3cf7a296f62bf720611beb6
- 927e2e5292baa585c00681b3e11e60b5
SHA-256
- 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01
- ceb42fea3be898251028e2c5128a69451212bcb48a4871454c60dc2262426677
- ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601
SHA1
- b2ed7e45eec9afb74ffbfa90495824945b8a84c7
- a579b4a5ded96bc4c46664a5b8f1c943bf8d430d
- 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688
Remediation
- Incorporate Known IOCs into IDS
- Phishing Awareness Training
- Microsoft recommends that organizations enable EDR in block mode to block the malware.