Rewterz Threat Advisory – ICS: Multiples B&R Automation Vulnerabilties

June 29, 2021

Rewterz Threat Alert – Gamaredon APT – Active IOCs

June 29, 2021

Rewterz Threat Alert – Nanocore Rat – Active IOCs

June 29, 2021

Severity

Medium

Analysis Summary

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as a keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more.The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains a fake bank payment receipt and request for quotation. The emails also contain malicious attachments with .img or .iso extension. The .img and .iso files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Another version of NanoCore is also distributed in phishing campaigns leveraging specially-crafted ZIP file which is designed to bypass secure email gateways. The malicious ZIP file can be extracted by certain versions of PowerArchiver, WinRar, and older 7-Zip. The stolen information is sent to the command and control (C&C) servers of the malware attacker.

This RAT gathers the following data and sends it to its servers:

Browser’s user names and passwords
File Transfer Protocol (FTP) clients or file manager software stored account information
Email credentials of popular mail clients

Impact

Credential Theft
Unauthorized Access
Theft of Sensitive Information

Indicators of Compromise

MD5

205abd11f4195b68cf127514f33b7533
ee0091b9d740cfb069435c3075bf5988
902bfcb0700a03069a73aeabe0dbabb6
b1f301d396c7b894e5cb0313b01e00b4
ac1a85521ed7e7d1f7bb19145008aa96

SHA-256

994a876850c76b1ba0693f3182714023644b5cfc1e531e46dde64b7b47bf5742
b1751fab98d63450ea04443805eb9d2b56fa06ea5676493a7d96c1a9b5d17cf2
2322619407083784abb63747eaba3b6125c789d88c1d88509a42c434b41dd27e
fa3ef5c48e5020217d337e0d812fc95eab715ac3bd758d9af57072ac9a9ac3db
d101e393b85225ee4736ff59419df94b13d253755f8e6e0f08777bacf259b672
6299d777b3d9d99b5bdc6cc3c554486bfc2b32a9423f9e1a67b7b1a28b048cdd
154fdce874b311551a2991ea29fae1061f5da388a8e61cc244e056d8e43006a6
4ff651a559ea78e6aa9977bfce5a491a4930b2fe0a6744e3443d21709f796146
67b6c2763a40c91b2909cb735944c99f1d4c77e4f29fd331ffcb5677779f88ec
a1e44bbc4bdc5d52743870e328e43ad8729fca9f10c3d5f3b72ad6dfc68a5496
51648c05e49e3a0dc72b3647997a751e40ed87ac043779a4f4ac138fd9bb825b
972b9871f4ea6f10d196b161f0a2bd7372666d480a7747b25cd489a4a6c0b6d0
a24bb56a37ae623f11d7dc119564aeac4ae088131d7a6d36be23fe5b883e0680
0270516715eb1a42d02524a05d943505231ed0ce7b17a5a73d7f417d3eed53da
ad0503c4cdc684c28e25e49db49e73b5727066438f181050124b5eb9e488a3d4
db7d82bf9fe9a0b3b5741d12ca1a1e4b9faed6491ca72752c828507aadde272c
57752414c956fb16b63aa2b5744ca63c022092f60843aeb4f8ab53f5cca0320b
668aac4731ed05614167ee5c8148e0e4246b8a98fdcb9e5e932f55757b68f185
db11f679e3b0257d40822fe0bbae57251dc528597eca0f272c19fe599484c26c
57465aa68181c8dbd2933715f17cd3d7158e12b76a49e1278ac9450e4edcfeb0
2e4887dc020b61cae71da6739bdcd835fbc48f503f8b8eff08a063dd2d0a069a
9380eb8ed935a7034acf41fec4494184c28a5438fa36e2e7fbde7c37ce46309d
c36e5dbb8dbab151a06837825b2d7160aa666c86bf93a05db60f289fb98b4bd0
3610608e8441af1270d152f0ee4668ea5c90ebe00e8792f3c48a7536ad530e4c
5567f6566a0a24d43f0318666fbb5e28bc6693404f67ef189f20b4f0ff0b7f0d
0d878e1289183c808b228f9535df574c3469a55aa63da69c5fc51e73394df0a0
df7a71143323699779282c3844bd6db2a66b291d7087639de39672253e4800f0
4505d521c590b6f5ac321cba1c03fef95f1df46e351bbdfc3d0926f13b742964
3b8f3c7a152267dbe259c95bccb53ba9020ed00e53c9eea126d1534085fd3f1e
d67c19186f746628f0a5a9185ce91da823d350b25f8551ea7b01239af7bd8c15
8906291fc9a6ad7470d6141db20cfc5a5732d704624c726904cec4fbbcdf72d6
c2e12d6842a3da3e8563beda090fc3e7e717da6a67f2ff7bb19aa3e409184d6b
37573fc67d16b45838276eb3e412ee66eeda6d100e01b65c0b64099e09ad95fb
ccee9d724d5de212b9fd60b569e1d24459e61f765334b6f073ffbfb98af490e9
ef1df0a14223bfb5a3f7e3ffe69d90f391fce5669e32dff5c382dae0bf69b357
ea136e3b2cd520fb319b53a23fd95f316f8b92e6af64704916eb15c2833ad244
f4ecd16100f69e0fc9d271ea912b637abb8af4089be291f28f1899785758fc6e
9e3e8b0c247528135b8b5f9849b23023c29c7482afc111211bda6cc7a9909bb4
e9f6c701f81fa678b4a6622d7b82bd47428d5612db1e8fe81d9cfe9130ee3751
bdbd92a8c02886fbc36e4a10116258efa9950829eaeecf877aa337c16d610ebf
9c4ffa90277bb28744643003e483bd2269e09d3af258e025eec33bc96a6702ca
d3017a1b5ee28b6b47844f81804e9dffb3509b47bc6d2c45b22007d48483f6b6
9496cbed7289e4a338d7c05641d68c9e0ddbcb52150f7b90a3f1442621cea87f
a079f8a6d6b8a409c2c9c973b1dfcc81cc3314a871de09ec6f4110b6414595f9
2a1c03b3a1f68c9459ded41de4df0c58b21cab15ae7a2bc5ae6155c7c95f8f58
5cc7c3b99ae2e4bd74d4beeca3393ef46f915a0debb6b541647a8385ae40d8ce
41aa2c9ec6a7693503204848d6a5d4850e10a643173c9a2fbd471c000f0f0402

SHA1

7a5e3523214c5ce5d7577aa7b1dede6f96a24be3
558fc89c24f1911ee14ca1068dd10e30ad2364d2
f73d624da5f7287f47443761ff75caf3632de951
ab4fbeabccb9be19a571b1a16a353dea161817cd
2e8aba28000a14f6ae4ad5ee9c6dbe14124c5db9

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Advisory – ICS: Multiples B&R Automation Vulnerabilties

Rewterz Threat Alert – Gamaredon APT – Active IOCs