• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Lemon Duck Cryptominer Spreads through Covid-19 Themed Emails
June 5, 2020
Rewterz Threat Alert – Medusa Locker Ransomware
June 5, 2020

Rewterz Threat Alert – New LNK Attack Tied to Higaisa APT

June 5, 2020

Severity

High

Analysis Summary

Researchers has attributed a recent campaign leveraging malicious LNK files in its infection chain to the Higaisa APT. The initial LNK file, which is delivered inside a RAR archive, is responsible for a series of commands. First, it creates a copy of itself and certutil. Then a base64-encoded blob stored inside the LNK file is decoded using the copy of certutil. The decoded content is then decompressed, which leads to the creation of a JS file, a tmp file containing shellcode, a decoy PDF, and an executable. The decoy document varied but included fake CVs and IELTS test results. This file is opened during the infection process to distract users. Upon execution, the JS file stores the output of ipconfig in a file, exfiltrates that file to a remote URL, and establishes persistence for the aforementioned executable via both the Startup folder and a scheduled task. The executable acts as a loader for the shellcode stored in the tmp file. Once loaded by the executable, the shellcode runs in memory and makes HTTPS requests to a C2 server.

finalprocess.png

Impact

  • Exposure of sensitive data
  • Information theft

Indicators of Compromise

Filename

  • CV_Colliers[.]rar
  • Project link and New copyright policy[.]rar
  • International English Language Testing System certificate[.]pdf[.]lnk

MD5

  • 278d191d794f84034c90bf9a3068d51e
  • 2ffb817ff7ddcfa216da31f50e199df1
  • b32a91f20a3efdbcfef53a578ae760ce
  • c657e04141252e39b9fa75489f6320f5
  • 997ab0b59d865c4bd63cc55b5e9c8b48
  • 4a4a223893c67b9d34392670002d58d7
  • 45278d4ad4e0f4a891ec99283df153c3

SHA-256

  • df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
  • c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
  • 50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
  • 1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
  • c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
  • dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
  • c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5

SHA1

  • a04cc29ba0f37607e25e55875b4b02779675a80a
  • 51277838c0492012065ad38abe02e7be9410df7a
  • e02a0449c500603de8613e1565eba68027ad0c5e
  • 9b638f77634f535e52527d43ad850133788bfb0c
  • 0f1f2431ecccb980f7d93b9af52139d0d508510f
  • 281c1b196cd992906d8583e64011dc28d9c52e3c
  • d500cec0ce5358751f3371b69a4a9bc402df8af4

Remediation

  • Block all threat indicators at your respective controls.
  • Search IOCs in your environment. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.