Rewterz Threat Alert – CryptBot Trojan – Active IOCs
August 11, 2021Rewterz Threat Advisory –CVE-2021-21501 – Apache Security Vulnerability
August 11, 2021Rewterz Threat Alert – CryptBot Trojan – Active IOCs
August 11, 2021Rewterz Threat Advisory –CVE-2021-21501 – Apache Security Vulnerability
August 11, 2021Severity
High
Analysis Summary
The eCh0raix ransomware is ransomware used in a targeted attack, named after a string found in the malware. It doesn’t appear to be intended for mass distribution. The examples with a hardcoded public key appear to have been compiled for each target individually. QNAP NAS could allow a remote attacker to bypass security restrictions, caused by an improper authorization vulnerability when running HBS 3 (Hybrid Backup Sync). An attacker could exploit this vulnerability to log in to a device.
Impact
- Credential Theft
- Unauthorized Access
- File Encryption
- Security Bypass
Indicators of Compromise
IP
- 98[.]144[.]56[.]47
- 64[.]42[.]152[.]46
- 183[.]76[.]46[.]30
MD5
- 2b39cbffdabdda37e3d05fc7603183d0
- afa284fac9382378497744e41ae24cca
- 1b2952d6ccb473fb24e820cdd60c49dd
- 461117f3dda072abc055ba080f6b21d4
- ca1432fadc3b4bef8d582d57ac0e6f5a
- 516291d10b370c7be3863335cf5d57eb
- effe75ab4e438e916c5ea012c450ae23
- f628f663871689fb277a83544cc9a798
- 88e4805cb7e08ffb870d72c56f455b2e
- 7dfed656ca6a4a14a4e40e2865ba7697
- f7f82b546377bb7cacb87b03220a8f8b
- 10930e9b91df2c91ca6606e8cf304d1f
- db9596e7c022bdc053698d31fbdba579
- 38bdb0cd9d08144d096362ac1a1e4116
- 91e7c89e6373419c0147dda3f4ba32a9
- e5dbaec74d7aa31e0e1af6a56e7a4fce
- da34c9a18d9693accc477b12695bcf37
- 0f43c8c411edff20933370d0a4648ec8
- e4acad02236bb70c0150d9e733869cf1
- 73f329ccdc6abeaada5c187f72fc3dc9
- 1175c093b7b008cf13a5bc7b93eb9421
SHA-256
- fedcce505a5e307c1d116d52b3122f6484b3d25fb3c4d666fe7af087cfe85349
- d2ebe2a961d07501f0614b3ba511cf44cb0be2e8e342e464a20633ed7f1fc884
- bb3b0e981e52a8250abcdf320bf7e5398d7bebf015643f8469f63d943b42f284
- a8accaab01a8ad16029ea0e8035a79083140026e33f8580aae217b1ef216febc
- 9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422
- 7fa8ebcccde118986c4fd4a0f61ca7e513d1c2e28a6efdf183c10204550d87ce
- 6df0897d4eb0826c47850968708143ecb9b58a0f3453caa615c0f62396ef816b
- 670250a169ba548c07a5066a70087e83bbc7fd468ef46199d76f97f9e7f72f36
- 551e03e17d1df9bd5b712bec7763578c01e7bffe9b93db246e36ec0a174f7467
- 3c533054390bc2d04ba96089302170a806c5cdb624536037a38c9ecb5aeea75d
- 36cfb1a7c971041c9483e4f4e092372c9c1ab792cd9de7b821718ccd0dbb09c1
- 2fe577fd9c77d3bebdcf9bfc6416c3f9a12755964a8098744519709daf2b09ce
- 2e3a6bd6d2e03c347d8c717465fec6347037b7f25adae49e9e089bc744706545
- 21d5021d00e95dba6e23cee3e83b126b068ad936128894a1750bbcd4f1eb9391
- 19448f9aa1fe6c07d52abc59d1657a7381cfdb4a4fa541279097cc9e9412964b
- 154dea7cace3d58c0ceccb5a3b8d7e0347674a0e76daffa9fa53578c036d9357
- 0e4534d015c4e6691ff3920b19c93d63c61a0f36497cb0861a149999b61b98e1
- 0b851832f9383df7739cd28ccdfd59925e9af7203b035711a7d96bba34a9eb04
- 039a997681655004aed1cc4c6ee24bf112d79e4f3b823ccae96b4a32c5ed1b4c
- 230d4522c2ffe31d6facd9eae829d486dfc5b4f55b2814e28471c6d0e7c9bf49
SHA1
- 2c0aaaf0e536160d232e9a66ebb5a3ea6993a124
- 67c40c4d11480eae0933c8da4d9a9b45ea214e51
- a43cb9204bc5e1b7efb97549715cb8152246e546
- 583d05411aea34eac3399cf8fd505a8eb93b8f75
- 987674651a905eeb2905a4e45fc260eaec170b95
- 52291b1660e73d69ca84175735d49a2b3d771845
- c47baef1eef20ac0e5b90a8431296843e6c6c2f8
- 955db50f05fbf2b96c0e0f0ca860f1d7b67bf2b0
- 8c634b67265ddf7ea86cb6e4f3a29d8e97ddf5ad
- 48399aec25e5f5940517a761ff85a542515345ad
- 90926cb9d4cc98e823b0eb17942e07787a2af620
- 6b0374473e8ce0cae9c26f7b44351e3339a08a7b
- 4645ab9178c9cf7330f5b50ddb6b627d58dfd43d
- 22923202faa4b53629b987d041aeca3e830c99d8
- 898253ff973fd125e0eb6eb94198f75d5b99f324
- 6eecf8581c28c083ef65ceff46b3f17e574a08eb
- 7f67427e9821d846842bd30e19fa3f353b4a1f74
- addd8ca06427d8dc7ffa5a16c3746cd61256f196
- 4f2b535040f466777d333cee8ae4580f3e5d7bda
URL
- http[:]//2[.]37[.]149[.]230/1/crp_linux_arm
- http[:]//2[.]37[.]149[.]230/1/crp_linux_386
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Search for IOC in your environment.