Rewterz Threat Alert – SharePoint and OneNote Being Used to Harvest Credentials
September 3, 2020Rewterz Threat Advisory – CVE-2020-7724 – Node.js tiny-conf code execution
September 3, 2020Rewterz Threat Alert – SharePoint and OneNote Being Used to Harvest Credentials
September 3, 2020Rewterz Threat Advisory – CVE-2020-7724 – Node.js tiny-conf code execution
September 3, 2020Severity
High
Analysis Summary
Researchers have uncovered a hitherto undocumented malware family named KryptoCibule. This malware is a triple threat in regard to cryptocurrencies. It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure. The malware, written in C#, also employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server. An overview of the various components and their interactions.
When the malware is first executed, the host is assigned a unique identifier with the format {adjective}-{noun} where {adjective} and {noun} are random words taken from two hardcoded lists which provide over 10 million unique combinations. This identifier is then used to identify the host in communications with the C&C servers.
On top of the crypto-related components, KryptoCibule also has RAT functionality. Among the commands it supports are EXEC, which allows execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C&C.
Impact
- Hijacking of transactions
- Mining cryptocoins
Indicators of Compromise
MD5
- 47a12663fce9b7ad2238f768ba482f49
- 3165d2f5d802226b0dd8d3ccc8336110
- 734e9529c5ce8e30ec60331966adec76
- 0dcf2f5fcfb39b0dce64466aa21de86b
SHA-256
- 5ee586a836049b22a90d5cabf3c2a29a2626ce96c55397bf36cc9024a2e6b430
- 04f3aa4152f3d9a0a9443c2adce00717a7ca4432bf9ced35aa9135ba8067714d
- 7f6bf80aa9c35d0451686ff230f1887eea49104f6c3045f49e7c611086ecb22d
- 2372fd1c07676012cc24beec860ea0f11987095fb1b4857549f7a8868cdea83f
SHA1
- 0aca38e2ec0deae75511a42713f6bff3a17e82f1
- 1d88dfaf3bdb3ca1aa570e2c096e897650659c04
- 5505341e3185e3eadcbe3164eca616a0f86d8b5d
- 83f9c10d41a32d74fcf0549739487cea90233ee2
- 181c9fee9834eaee428edfd4048f383bdd6fed2a
- e2c9750c5143ebd558de6987643e46adc5e56410
- bee66472876b806fbc0a989b34813c0c06cedcb0
- 6112aaa0a65b6d90adf7fd16cfd75e04ab81eb9c
- a2d69583cfb8849c4852865fe43ceea55bd7e065
- 8edee68b15e2f3c8484f18d34976c3506eaca30d
- 8cc0c300739e6887358169e6b9939fb83362e17e
- e61e1a0b6ad4648366554be2ed59cedbc6eee673
- da402887cbd05cbe123eb6af437efcac2ba70555
- e55ded5b9984bcb4a5e47cd14456d6e2fd051ce8
- 88920fe8aacfe9102b00026524353d28d2ccf5e1
- 341f8f2566b601e6825dc9e00fa3bee490ae4728
- d9aa64d954a531074af5c167b7066edf989b49d8
- 49d3fe31b87b14bef61a6029a644da3ddc81ae85
- b37faec190634dd6774f749a5082f08a22862c73
- 5a089236dd99e558cb1dca843792a6ba4a686c3a
- 929e362eb857203155acd9526e6fa60339daa42f
- 7563610da47ece49216e6d4f75ea3e2fcec4ce3e
- 05d461259bddb6ad70ceb96a6a81746423eb5db4
- c7b7b06e83680a0410f66bcccd3a500db466db42
- 29b0df9e0f1afa5df39b9f3e6c2eda40aa8b1e5f
- 8e7df84e1b4a23dddaa560739c4c71e7f7a1e4dd
- 4cbad4710e68a96c954bce30b79f5f06252bcc6a
- 0702832aa419bad315480370862ed5b9d5bd868f
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your enviroment.