Rewterz Threat Advisory – CVE-2020-3184 – Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability
May 21, 2020Rewterz Threat Alert – Covid-19 Themed Malicious URLs
May 21, 2020Rewterz Threat Advisory – CVE-2020-3184 – Cisco Prime Collaboration Provisioning Software SQL Injection Vulnerability
May 21, 2020Rewterz Threat Alert – Covid-19 Themed Malicious URLs
May 21, 2020Severity
High
Analysis Summary
Threat actors are continuously creating more sophisticated ways for malware to evade defenses. Researchers have observed Netwalker’s usage of reflective loading techniques and its move to fileless execution. The infection begins with a heavily obfuscated and encrypted PowerShell script. Once decoded and de-obfuscated, it identifies the system architecture in order to determine whether a 32-bit or 64-bit binary should be used. The relevant binary, embedded in the PowerShell script in hex format, is decoded and injected into the memory of the legitimate explorer.exe process. The script also performs the function of deleting Shadow Volume Copies to prevent file recovery. The Netwalker payload operates similar to previous versions. It first kills processes and services related to user documents, backup software, and anti-virus programs. Targeted files include user files; critical files are avoided to prevent rendering the system un-usable. Finally, encryption is performed and a ransom note is dropped providing instructions for paying the ransom in exchange for decryption.
Impact
File encryption
Indicators of Compromise
MD5
b1f0093b89561c6123070165bd2261e2
SHA-256
f4656a9af30e98ed2103194f798fa00fd1686618e3e62fba6b15c9959135b7be
SHA1
aac57162dc1311f07a869f7163bd30e0d62dcc0e
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.