Rewterz Threat Advisory – ICS: Medtronic Conexus Radio Frequency Telemetry Protocol
February 7, 2020Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs
February 10, 2020Rewterz Threat Advisory – ICS: Medtronic Conexus Radio Frequency Telemetry Protocol
February 7, 2020Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs
February 10, 2020Severity
Medium
Analysis Summary
The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called “VBS Stomping” to avoid detection. the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.
The Minebridge Payload
The ultimate goal of the document is to infect victims with the Minebridge backdoor. It’s a powerful piece of malware that gives attackers full control of the target environment. Its C2 commands include downloading and executing other malware, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system information.
Impact
Complete takeover of the target environment
Indicators of Compromise
MD5
- 05432fc4145d56030f6dd6259020d16c
- 0be9911c5be7e6dfeaeca0a7277d432b
- 0dd556bf03ecb42bf87d5ea7ce8efafe
- 15edac65d5b5ed6c27a8ac983d5b97f6
- 1e9c836f997ddcbd13de35a0264cf9f1
- 21aa1066f102324ccc4697193be83741
- 22b7ddf4983d6e6d84a4978f96bc2a82
- 2333fbadeea558e57ac15e51d55b041c
- 2b9961f31e0015cbcb276d43b05e4434
- 2c3cb2132951b63036124dec06fd84a8
- 4de9d6073a63a26180a5d8dcaffb9e81
- 505ff4b9ef2b619305d7973869cd1d2b
- 52d6654fe3ac78661689237a149a710b
- 53e044cd7cea2a6239d8411b8befb4b7
- 5624c985228288c73317f2fa1be66f32
- 598940779363d9f4203fbfe158d6829b
- 60bdea2c493c812428a8db21b29dd402
- 681a77eba0734c0a17b02a81564ae73f
- 6b7d9268c7000c651473f33d088a16bd
- 6d6f50f7bba4ae0225e9754e9053edc0
- 6de77c1b4e8abaaf304b43162252f022
- 7004fadfa572d77e24b33d2458f023d1
- 71988460fd87b6bff8e8fc0f442c934b
- 722981703148fa78d41abbae8857f7a2
- 818f7af373d1ec865d6c1b7f59dc89e5
- 832052b0f806f44b92f6ef150573af81
- 836125ae2bed57be93a93d18e0c600e8
- 86d60bce47c9bb6017e3da26cab50dcf
- 8919458aec3dcc90563579a76835fc54
- 8d7e220af48fceee515eb5e56579a709
- 91b8ec04d8b96b90ea406c7b98cc0ad6
- 959eb0696c199cbf60ec8f12fcf0ea3c
- 95ec5e8d87111f7f6b2585992e460b52
- 9606cf0f12d6a00716984b5b4fa49d7d
- 9f7fed305c6638d0854de0f4563abd62
- a11c0b9f3e7fedfe52b1fc0fc2d4f6d1
- a47915a2684063003f09770ba92ccef2
- a917b2ec0ac08b5cde3678487971232a
- ad06205879edab65ed99ed7ff796bd09
- ad910001cb57e84148ef014abc61fa73
- b1ce55fca928cf66eaa9407246399d2c
- b9249e9f1a92e6b3359c35a8f2a1e804
- bd6880fb97faceecf193a745655d4301
- be2597a842a7603d7eb990a2135dab5e
- cf5470bfe947739e0b4527d8adb8486a
- d593b7847ec5d18a7dba6c7b98d9aebf
- d7ee4ffce21325dfe013b6764d0f8986
- de4d7796006359d60c97a6e4977e4936
- e0069cd3b5548f9fd8811adf4b24bf2e
- e1ea93fa74d160c67a9ff748e5254fe0
- ea15d7944c29f944814be14b25c2c2b1
- f22a4abd5217fa01b56d064248ce0cc5
- f3cb175e725af7f94533ecc3ff62fa12
- f6533e09a334b9f28136711ea8e9afca
- f7daaea04b7fe4251b6b8dabb832ee3a
- fb1555210d04286c7bcb73ca57e8e430
- 01067c8e41dae72ce39b28d85bf923ee
- 1601137b84d9bebf21dcfb9ad1eaa69d
- 1c883a997cbf2a656869f6e69ffbd027
- 2ed49bd499c9962e115a66665a6944f6
- 3b948368fe1a296f5ed18b11194ce51c
- 4148281424ff3e85b215cd867746b20c
- 54f22fbc84f4d060fcbf23534a02e5f6
- 5a3d8348f04345f6687552e6b7469ac1
- 607d28ae6cf2adb87fcb7eac9f9e09ab
- 9ba3275ac0e65b9cd4d5afa0adf401b4
- 9becd2fd73aa4b36ad9cd0c95297d40b
- 9cce3c9516f0f15ce18f37d707931775
- 9faf9e0c5945876c8bad3c121c91ea15
- a37e6eeb06729b6108649f21064b16ef
- ab8dc4ba75aad317abb8ee38c8928db0
- b8817253288b395cb33ffe36e0072dc9
- cb5e5d29f844eb22fecaa45763750c27
- cffda37453e1a1389840ed6ebaef1b0d
- dc0e1e4ec757a777a4d4cc92a8d9ef33
- e5c7e82670372e3cf8e8cab2c1e6bc17
- f93062f6271f20649e61a09c501c6c92
SHA-256
- 182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97
- 65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b
- 48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85
- 03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525
- 23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7
- 86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12
- fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f
- 57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb
- e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712
- b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84
- 7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6
- abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268
- d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb
- 6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8
- 99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add
- 1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621
- 383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd
- 0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a
- 6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d
- ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740
- 8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710
- cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a
- 8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12
- a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c
- cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2
- e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830
- 0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df
- 6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a
- aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec
- 3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb
- 0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a
- ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318
- 3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae
- f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb
- 6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f
- d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b
- 7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4
- 8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba
- d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421
- c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b
- c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d
- 0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032
- 23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254
- 6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb
- 6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f
- 5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573
- 92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84
- ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677
- 6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c
- 92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7
- 5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444
- 858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94
- 5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb
- 9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4
- 6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352
- 36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab955d
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.