Rewterz Threat Advisory – Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

October 28, 2019

Rewterz Threat Advisory – CVE-2019-18188 – Trend Micro Apex One Arbitrary File Upload with Command Injection Vulnerability

October 29, 2019

Rewterz Threat Alert – Possible New BadPatch Campaign Uses Multi-Component Python Compiled Malware

October 28, 2019

Severity

High

Analysis Summary

FortiGuard Labs came across an interesting tweet from the security researcher @h4ckak about a suspicious file that looks to be a decoy file in an APT campaign. Upon digging deeper and found that this file might be part of a new BadPatch campaign. BadPatch is a tag used for a set of malware that was used in a campaign with a possible link to the Gaza hackers group which was first reported in 2017. This group has been involved in an espionage campaign targeting the Middle East since 2012 based on the compilation timestamp of the first malware discovered. Since then, BadPatch has gone off our radar for almost two years.

This malware is a multi-component python-compiled malware that has the capability to steal and exfiltrate data from targeted victims. We will also be discussing some patterns as proof of this malware’s possible link to BadPatch.

Attack Vector

The attack sample uploaded to VirusTotal is an executable file named ???? ??????? ???? ????? .scr (Prime Minister Mohammad Ishtayeh .scr). Although we didn’t find the initial vector from which this file came, we believe that it was distributed as an attachment to spam emails, similar to previous BadPatch attacks.

This executable file is an SFX executable containing two files:

Fig. 3. SFX executable containing the decoy document

When executed, this file opens the decoy .doc file, which contains text that looks like it was drawn from a news article from Sama News.

It also executes the file d.exe, which only works on 64-bit Windows machine. We believe, though, that a 32-bit version may also exist as other component files. The d.exe file is responsible for downloading three files.

Impact

Exfiltration of data
Exposure of sensitive information

Indicators of Compromise

SHA256

5badba04b373165ffe46b2f96b7f8a57ea352ba3800c34a535143b653fe2153f
ab08a5bdaeb122ad07f68ec747e4ee1681f7572ad69431d0a2038a6e2a6afce5
75ce26405f46304abdca26e54bbd11506942a6f5bbd64c2974a68fd94087e814
9e64a490e5592b9d9064d018c559ae251e2ed757f0f2215aa4acbf4df183688a
4d89147a7ac41b66aa037294ab96d83c5ce538a40b7c385461f0699e5859bc77
3dd6947dcb20e3c2fb5a54ed906ca51fab16563b207bd29cefd64d77d38ded66
85a1b924d766524f6760869e412b49d603cdf9975831e912463774913b6886ca
ae912cba54e7e8339f43530f70deb5ae1bcc780fdd4b80569cbe628509468de4
a80e0118afe0dfba5c2802007041acacdce4222e03f8b64c0c3bd50ea6bf1032
f0e3a5918ae76558b3a0ab50135403aadec88c55ffdc07624cbc5b8c2ba3669b
d97c841306828f9ebf6d7c0a69b33e82534f1ecf09554742a58f0d59d99b15af
fc0ac7f8d9346baf6e4e81d3a4d3bcb72bcd9e2269adfb36617bccd8a987a9e2

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us