Rewterz Threat Advisory – CVE-2021-1463 – Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability
May 18, 2021Rewterz Threat Alert – Nanocore Malware -Active IOCs
May 18, 2021Rewterz Threat Advisory – CVE-2021-1463 – Cisco Unified Intelligence Center Reflected Cross-Site Scripting Vulnerability
May 18, 2021Rewterz Threat Alert – Nanocore Malware -Active IOCs
May 18, 2021Severity
High
Analysis Summary
Threat actors are using Microsoft Build Engine (MSBuild) to deliver remote access trojans (RATs) and RedLine stealer (password-stealing malware) filelessly.
MSBuild is a free and open-source build toolset for managed code as well as native C++ code and was part of the .NET Framework. It is used for building apps and gives users an XML schema “that controls how the build platform processes and builds software” – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks.
A Russian image-hosting site (joxi[.]net) was used to host shellcodes and encoded executables. Using MSBuild allows the attackers to avoid detection while loading the malicious code into memory.
“The threat actors behind this campaign used fileless delivery as a way to bypass security measures, and this technique is used by actors for a variety of objectives and motivations,” concludes Anomali. “This campaign highlights that reliance on antivirus software alone is insufficient for cyber defense, and the use of legitimate code to hide malware from antivirus technology is effective and growing exponentially.”
Impact
- Data Breach
- Remote Access
Affected Vendors
Microsoft
Affected Products
MSBuild
Indicators of Compromise
MD5
- 45c94900f312b2002c9c445bd8a59ae6
- d8a57534382a07cc0487b96350bca761
- d52d6bad3d11e9a72998608ccca572f5
- d66740b3ed3884c31d40e3747684411e
- 43660f882cc5971ab83a810398487317
- 192b8ee95537dda7927ba3b45183e6a4
- 1ae425ac2890283ddcf11946e7e8f6ae
- 20621960888a6299123ce5a2df5eabba
- 27b62f7b4b285b880b8c81960aa60b15
- 2d15a4c9184878e25bdf108bd58290b8
- 37bbbbc44c80ff4fe770ce78f6a37ebd
- 603b1cc2d5488dcd8bb0a3b14429c88b
- 62c8efb35b3b9c10e965ec5a236fed2d
- a948e8d3222b9fa8ccbd091230098b78
- ecdb2860af9ce2754d178c80e3303080
- fe84ead033bfeaee70f84d8733b51e08
SHA-256
- 0afff9f670970072dce4ce7530654890226c4b1b3a249079a0f304f7f0309e1d
- a0fee7fc0bdb2add07ca443b69b84d35d8701af65b95d0bc04da502bea1a88b6
- 361a286eb219f4c6805632922dd676cb36c71b1fc92d7975f3b5af1c7ff6aae8
- b8f4f19c516fe1a383c2d6518ef70766ff87d4ed7755fa93688b3bd3d7453fbb
- 759b227259adf08c2ebe250c823963b14a98dd1f17065da47d7ccb7c9c7d5b60
- 6b3123769eddccc90d9bc08640aea942fd414dd919ffc747a7380e496116f813
- 132ed1b306140b416eaf871960fce6c7d8a2f11ec2b7c245a68662cda8b9877f
- fab7972ad422c46254ce6eb8b334e71db0f19ec609f1d6a16c9105189ad159c4
- 39cb804adb8a1bebd9b2d263ebcc047b9cb37477353cb2081297f2958bd85585
- 1201874c48f0efe30b745a747a4fe5140a2f8453bfb378800db9b8af6d72616f
- 4e075115d6bee8e355eece712835c186feb356edab26f5669d42e9c10e575026
- 197f97597ea424edf4c9df70742e8f959af84bc423c1dd756113ccd52c0fad5e
- bcc29672410189773ee4b7c1a14bf04166a49225fbb09d2a7d858fd19db80a13
- 05f28f55fde04d4bbefba14bc70d34cf76de890a5a2cd75458952fa03644dd04
- f9171e7ce93d18987bbb2313f1db15315a89fb58a00460eaeb058efb37d72ecd
- 0afff9f670970072dce4ce7530654890226c4b1b3a249079a0f304f7f0309e1d
SHA1
- e9b32d8dbaecdf8b7256e7b8d2922d50a94e4224
- 5de0793d1f47d8dbb5a11ae50de132dfd9ad2dab
- e984ebb43e861b33bd6db726337215910a5c7616
- d306dfc961862d5df35d589ec33c03d25175bbb1
- a2b3da969c767b348b3025e45df1abd37130069b
- c1a131083fa2bf96df16aba16c9793e47e98e9fa
- cee0b2639e7779383352fc1fd7b819e12b9149d4
- f840f15b58cecccea939a521726b352b8d25970b
- 04d62a079305c52649c6d62afe81eb8cd9e0d8fe
- 645389b8e4c7207ad297307fcebe7f3724183fb1
- f72dc74b8151b0c5579e4ea5a0576a2b3b897889
- 87364e4d0a12b276927b2c2a6a25ef8113d03ea1
- 953af7afd26d27d2d214d96a6c46b58790cf230a
- 946b4c6aa9bebb1ffa15c4dcb88f89187791661e
- a10c52fbeb163b4bc21b81478a2ba976f72af69b
- e9b32d8dbaecdf8b7256e7b8d2922d50a94e4224
Remediation
- Block IoCs at their respective controls.
- Update Information Systems Security policies to include the latest threats.
- Restrict access to sensitive data.
- Protect systems against known threats by updating firewalls and setting up intrusion detection policies.
- Use two-factor authentication.