Rewterz Threat Alert – LokiBot Malware – IOCs
September 29, 2020Rewterz Threat Advisory – CVE-2020-5930 – F5 BIG-IP and BIG-IQ Centralized Management denial of service
September 29, 2020Rewterz Threat Alert – LokiBot Malware – IOCs
September 29, 2020Rewterz Threat Advisory – CVE-2020-5930 – F5 BIG-IP and BIG-IQ Centralized Management denial of service
September 29, 2020Severity
High
Analysis Summary
Nemucod is a trojan that downloads additional malware onto victims’ computers. Cyber criminals proliferate this software via emails containing attached zipped files. These emails often claim to be legitimate invoices, notices of appearance in court, or other official documents. Computer users commonly fall for these scams and open the attached documents that contain a JavaScript file. The file then downloads the Nemucod trojan onto their systems. Previously, the Nemucod trojan downloaded and installed TeslaCrypt and Locky ransomware on victims’ computers, however, it recently started a new campaign whereby it downloads ransomware to encrypt users’ data (adding the .crypted extension to compromised files and creating the DECRYPT.txt file on victims’ desktops).
The DECRYPT.txt file contains a message stating that files stored on the victim’s computer have been encrypted. Files are encrypted using the RSA-1024 encryption algorithm – this means they can only be decrypted using a private key, which is generated during encryption. This key is supposedly stored on remote servers controlled by cyber criminals. The message states that to restore the files, users must pay a ransom of 0.60358 BitCoin (at time of research, equivalent to $252.53). The file also provides step-by-step payment instructions, however, research shows that the statement regarding the encryption algorithm is false. In fact, this ransomware uses the XOR algorithm, Thus, encryption (embedded in the aforementioned executable, which is downloaded by Nemucod trojan) and decryption keys are identical. Therefore, it is possible to use this key to decrypt files without payment. Furthermore, the ransomware does not delete shadow volume copies. Therefore, these copies and ‘System Restore’ can be used to restore files affected by this ransomware.
Impact
File encryption
Indicators of Compromise
Domain Name
- tldrnet[.]top
- universidadmahanaim[.]org
- ujajajgogoff[.]com
- eastexs[.]com
- ohiyoungbuyff[.]com
- tytone[.]com
- shipservice-hr[.]market
- ashihsijaediaehf[.]su
- ohelloweuqq[.]com
- booomaahuuoooapl[.]ru
- plpanaifheaighai[.]su
- aneoeauhiazegfiz[.]ru
- uoaeogauhduadhug[.]ru
- iuefgauiaiduihgs[.]ru
- ashihsijaediaehf[.]in
- tldrbox[.]top
Hostname
- a0391331[.]xsph[.]ru
- wmi[.]4i7i[.]com
- www[.]nze21[.]com
URL
- http[:]//admindepartment[.]ir/templx/CRIPTERFILETMAN[.]exe
- http[:]//irangoodshop[.]com/aaa/fre[.]php
- http[:]//admindepartment[.]ir/nwamax/nwamax[.]exe
- http[:]//admindepartment[.]ir/wealthx/kayboi[.]exe
- http[:]//admindepartment[.]ir/kenlaw/five/fre[.]php
- http[:]//irangoodshop[.]com/biaa/fre[.]php
- http[:]//skuawill[.]com/93[.]exe
- http[:]//www[.]362com[.]com/Update[.]txt
- http[:]//www[.]literacyessentials[.]com/m30/?pFQP2bjp=/P9I+dgYJbE7gqlD3eC+rZKGykFVUxxpjjSnmD++/Kx0sJzGS4GM
- yUeQIh7oB+8+iUDGIhmwJ8hXXWCmlvAqKQ==&8pp=fjopd2gxO
- http[:]//www[.]masionlex[.]info/m30/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.