Rewterz Threat Alert – Lazarus APT Spreads VHD Ransomware
July 29, 2020Rewterz Threat Alert – Emotet Malware Steals Email Attachments to Attack Contacts
July 29, 2020Rewterz Threat Alert – Lazarus APT Spreads VHD Ransomware
July 29, 2020Rewterz Threat Alert – Emotet Malware Steals Email Attachments to Attack Contacts
July 29, 2020Severity
High
Analysis Summary
Netwalker ransomware attacks on foreign government organizations, education entities, private companies, and health agencies have been observed. Following a successful intrusion, Netwalker encrypts all connected Windows-based devices and data, rendering critical files, databases, and applications inaccessible to users. When executed, Netwalker deploys an embedded configuration that includes a ransom note, ransom note file names, and various configuration options.
In March 2020, Netwalker spread through a Visual Basic Scripting (VBS) script attached to COVID-19 phishing e-mails that executed the payload once opened. In April 2020, actors using Netwalker began gaining unauthorized access to victim networks by exploiting unpatched Virtual Private Network (VPN) appliances, vulnerable user interface components in web applications, or weak passwords used for Remote Desktop Protocol connections.
Two of the most common vulnerabilities exploited by actors using Netwalker are Pulse Secure VPN (CVE-2019-11510) and Telerik UI (CVE-2019-18935). Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. In order to encrypt the user files on a victim network, the actors typically launch a malicious PowerShell script embedded with the Netwalker ransomware executable.
Actors using Netwalker have previously uploaded stolen data to the cloud storage and file sharing service, MEGA.NZ (MEGA), by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. In June 2020, actors transitioned from uploading and releasing stolen data on MEGA to uploading the stolen data to another file sharing service: website.dropmefiles.com.
Impact
- Files encryption
- Data Theft
- Unauthorized Access
- Information disclosure
- Network-wide infection
Indicators of Compromise
Filename
- qeSw[.]exe
- Invoke-Mimikatz[.]ps1
- mimikatzN[.]exe
- CORONAVIRUS_COVID-19[.]vbs
- Invoke-mimikittenz[.]ps1
- mimikatz[.]exe
- pwdump7[.]exe
From Email
- 2hamlampampom@cock[.]li
- galgalgalgalk@tutanota[.]com
- johprohnpo@cock[.]li
- cancandecan@tutanota[.]com
- galgalgalgawk@tutanota[.]com
- kavariusing@tutanota[.]com
- eeaammzzyy@cock[.]li
- hamlampampom@cock[.]li
- kazkavkovkiz@cock[.]li
- eeaammzzyy@tuta[.]io
- hariliuios@tutanota[.]com
- kkeessnnkkaa@cock[.]li
- eeeooppaaaxxx@tuta[.]io
- hhaaxxhhaaxx@tuta[.]io
- kkkwwwsvvv@cock[.]li
- knoocknoo@cock[.]li
- pabpabtab@tuta[.]io
- sevenoneone@cock[.]li
- kokbiglock@cock[.]li
- repairdb@seznam[.]cz
- sevenonone@cock[.]li
- kokoklock@cock[.]li
- rrrkkktttaaa@cock[.]li
MD5
- 258ed03a6e4d9012f8102c635a5e3dcd
- 73de5babf166f28dc81d6c2faa369379
- 3d6203df53fcaa16d71add5f47bdd060
- 7a1288c7be386c99fad964dbd068964f
- 5b80cbbdcb697c0b8ec26e6cf0ff305c
- 993b73d6490bc5a7e23e02210b317247
- 27304b246c7d5b4e149124d5f93c5b01
- 8fbc17d634009cb1ce261b5b3b2f2ecb
- 59881abed688ceba3d67c2ff22076ad8
- 6a64553da499c1d9a64d97f4de3882f5
SHA-256
- 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
- 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
- 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
- 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
- ad8d379a4431cabd079a1c34add903451e11f06652fe28d3f3edb6c469c43893
- de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d
- 8f834966a06f34682b78e1644c47ab488b394b80109ddea39fc9a29ed0d56a0c
- 58e923ff158fb5aecd293b7a0e0d305296110b83c6e270786edcc4fea1c8404c
SHA1
- 655352e00c7e478c3fed38bc6f407982dec3768d
- a3bc2a30318f9bd2b51cb57e2022996e7f15c69e
- 6fd314af34409e945504e166eb8cd88127c1070e
- e393a9ecf0d0a8babaa5efcc34f10577aff1cad1
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems, applications and software updated to latest patched versions against all known security vulnerabilities.
- Maintain a strong password policy.