November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Lemon Duck Cryptominer Spreads through Covid-19 Themed Emails
June 5, 2020Rewterz Threat Alert – Medusa Locker Ransomware
June 5, 2020Rewterz Threat Alert – Lemon Duck Cryptominer Spreads through Covid-19 Themed Emails
June 5, 2020Rewterz Threat Alert – Medusa Locker Ransomware
June 5, 2020
Severity
High
Analysis Summary
Researchers has attributed a recent campaign leveraging malicious LNK files in its infection chain to the Higaisa APT. The initial LNK file, which is delivered inside a RAR archive, is responsible for a series of commands. First, it creates a copy of itself and certutil. Then a base64-encoded blob stored inside the LNK file is decoded using the copy of certutil. The decoded content is then decompressed, which leads to the creation of a JS file, a tmp file containing shellcode, a decoy PDF, and an executable. The decoy document varied but included fake CVs and IELTS test results. This file is opened during the infection process to distract users. Upon execution, the JS file stores the output of ipconfig in a file, exfiltrates that file to a remote URL, and establishes persistence for the aforementioned executable via both the Startup folder and a scheduled task. The executable acts as a loader for the shellcode stored in the tmp file. Once loaded by the executable, the shellcode runs in memory and makes HTTPS requests to a C2 server.
Impact
- Exposure of sensitive data
- Information theft
Indicators of Compromise
Filename
- CV_Colliers[.]rar
- Project link and New copyright policy[.]rar
- International English Language Testing System certificate[.]pdf[.]lnk
MD5
- 278d191d794f84034c90bf9a3068d51e
- 2ffb817ff7ddcfa216da31f50e199df1
- b32a91f20a3efdbcfef53a578ae760ce
- c657e04141252e39b9fa75489f6320f5
- 997ab0b59d865c4bd63cc55b5e9c8b48
- 4a4a223893c67b9d34392670002d58d7
- 45278d4ad4e0f4a891ec99283df153c3
SHA-256
- df999d24bde96decdbb65287ca0986db98f73b4ed477e18c3ef100064bceba6d
- c3a45aaf6ba9f2a53d26a96406b6c34a56f364abe1dd54d55461b9cc5b9d9a04
- 50d081e526beeb61dc6180f809d6230e7cc56d9a2562dd0f7e01f7c6e73388d9
- 1074654a3f3df73f6e0fd0ad81597c662b75c273c92dc75c5a6bea81f093ef81
- c613487a5fc65b3b4ca855980e33dd327b3f37a61ce0809518ba98b454ebf68b
- dcd2531aa89a99f009a740eab43d2aa2b8c1ed7c8d7e755405039f3a235e23a6
- c0a0266f6df7f1235aeb4aad554e505320560967248c9c5cce7409fc77b56bd5
SHA1
- a04cc29ba0f37607e25e55875b4b02779675a80a
- 51277838c0492012065ad38abe02e7be9410df7a
- e02a0449c500603de8613e1565eba68027ad0c5e
- 9b638f77634f535e52527d43ad850133788bfb0c
- 0f1f2431ecccb980f7d93b9af52139d0d508510f
- 281c1b196cd992906d8583e64011dc28d9c52e3c
- d500cec0ce5358751f3371b69a4a9bc402df8af4
Remediation
- Block all threat indicators at your respective controls.
- Search IOCs in your environment.