Rewterz Threat Alert – MINEBRIDGE Targets Finance Sector

Severity

Medium

Analysis Summary

The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called “VBS Stomping” to avoid detection. the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.

The Minebridge Payload

The ultimate goal of the document is to infect victims with the Minebridge backdoor. It’s a powerful piece of malware that gives attackers full control of the target environment. Its C2 commands include downloading and executing other malware, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system information.

Impact

Complete takeover of the target environment

Indicators of Compromise

MD5

• 05432fc4145d56030f6dd6259020d16c
• 0be9911c5be7e6dfeaeca0a7277d432b
• 0dd556bf03ecb42bf87d5ea7ce8efafe
• 15edac65d5b5ed6c27a8ac983d5b97f6
• 1e9c836f997ddcbd13de35a0264cf9f1
• 21aa1066f102324ccc4697193be83741
• 22b7ddf4983d6e6d84a4978f96bc2a82
• 2333fbadeea558e57ac15e51d55b041c
• 2b9961f31e0015cbcb276d43b05e4434
• 2c3cb2132951b63036124dec06fd84a8
• 4de9d6073a63a26180a5d8dcaffb9e81
• 505ff4b9ef2b619305d7973869cd1d2b
• 52d6654fe3ac78661689237a149a710b
• 53e044cd7cea2a6239d8411b8befb4b7
• 5624c985228288c73317f2fa1be66f32
• 598940779363d9f4203fbfe158d6829b
• 60bdea2c493c812428a8db21b29dd402
• 681a77eba0734c0a17b02a81564ae73f
• 6b7d9268c7000c651473f33d088a16bd
• 6d6f50f7bba4ae0225e9754e9053edc0
• 6de77c1b4e8abaaf304b43162252f022
• 7004fadfa572d77e24b33d2458f023d1
• 71988460fd87b6bff8e8fc0f442c934b
• 722981703148fa78d41abbae8857f7a2
• 818f7af373d1ec865d6c1b7f59dc89e5
• 832052b0f806f44b92f6ef150573af81
• 836125ae2bed57be93a93d18e0c600e8
• 86d60bce47c9bb6017e3da26cab50dcf
• 8919458aec3dcc90563579a76835fc54
• 8d7e220af48fceee515eb5e56579a709
• 91b8ec04d8b96b90ea406c7b98cc0ad6
• 959eb0696c199cbf60ec8f12fcf0ea3c
• 95ec5e8d87111f7f6b2585992e460b52
• 9606cf0f12d6a00716984b5b4fa49d7d
• 9f7fed305c6638d0854de0f4563abd62
• a11c0b9f3e7fedfe52b1fc0fc2d4f6d1
• a47915a2684063003f09770ba92ccef2
• a917b2ec0ac08b5cde3678487971232a
• ad06205879edab65ed99ed7ff796bd09
• ad910001cb57e84148ef014abc61fa73
• b1ce55fca928cf66eaa9407246399d2c
• b9249e9f1a92e6b3359c35a8f2a1e804
• bd6880fb97faceecf193a745655d4301
• be2597a842a7603d7eb990a2135dab5e
• cf5470bfe947739e0b4527d8adb8486a
• d593b7847ec5d18a7dba6c7b98d9aebf
• d7ee4ffce21325dfe013b6764d0f8986
• de4d7796006359d60c97a6e4977e4936
• e0069cd3b5548f9fd8811adf4b24bf2e
• e1ea93fa74d160c67a9ff748e5254fe0
• ea15d7944c29f944814be14b25c2c2b1
• f22a4abd5217fa01b56d064248ce0cc5
• f3cb175e725af7f94533ecc3ff62fa12
• f6533e09a334b9f28136711ea8e9afca
• f7daaea04b7fe4251b6b8dabb832ee3a
• fb1555210d04286c7bcb73ca57e8e430
• 01067c8e41dae72ce39b28d85bf923ee
• 1601137b84d9bebf21dcfb9ad1eaa69d
• 1c883a997cbf2a656869f6e69ffbd027
• 2ed49bd499c9962e115a66665a6944f6
• 3b948368fe1a296f5ed18b11194ce51c
• 4148281424ff3e85b215cd867746b20c
• 54f22fbc84f4d060fcbf23534a02e5f6
• 5a3d8348f04345f6687552e6b7469ac1
• 607d28ae6cf2adb87fcb7eac9f9e09ab
• 9ba3275ac0e65b9cd4d5afa0adf401b4
• 9becd2fd73aa4b36ad9cd0c95297d40b
• 9cce3c9516f0f15ce18f37d707931775
• 9faf9e0c5945876c8bad3c121c91ea15
• a37e6eeb06729b6108649f21064b16ef
• ab8dc4ba75aad317abb8ee38c8928db0
• b8817253288b395cb33ffe36e0072dc9
• cb5e5d29f844eb22fecaa45763750c27
• cffda37453e1a1389840ed6ebaef1b0d
• dc0e1e4ec757a777a4d4cc92a8d9ef33
• e5c7e82670372e3cf8e8cab2c1e6bc17
• f93062f6271f20649e61a09c501c6c92

SHA-256

• 182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97
• 65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b
• 48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85
• 03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525
• 23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7
• 86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12
• fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f
• 57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb
• e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712
• b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84
• 7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6
• abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268
• d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb
• 6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8
• 99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add
• 1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621
• 383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd
• 0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a
• 6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d
• ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740
• 8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710
• cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a
• 8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12
• a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c
• cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2
• e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830
• 0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df
• 6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a
• aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec
• 3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb
• 0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a
• ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318
• 3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae
• f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb
• 6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f
• d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b
• 7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4
• 8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba
• d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421
• c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b
• c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d
• 0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032
• 23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254
• 6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb
• 6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f
• 5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573
• 92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84
• ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677
• 6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c
• 92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7
• 5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444
• 858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94
• 5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb
• 9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4
• 6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352
• 36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab955d

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.