Rewterz Threat Alert – TA505 Active Again – IoCs
July 1, 2020Rewterz Threat Alert – Trickbot – IoCs
July 1, 2020Rewterz Threat Alert – TA505 Active Again – IoCs
July 1, 2020Rewterz Threat Alert – Trickbot – IoCs
July 1, 2020Severity
High
Analysis Summary
PROMETHIUM threat actors have been expanding attempts to infect new targets most likely in Colombia, India, Canada, and Vietnam with its StrongPity3 malware. Using four trojanized setup files, the group is distributing malware via Firefox, VPNpro, DriverPack, and 5kPlayer. The attack vector is not known presently; however, given the nature of the trojanized files, the initial vector could be a watering hole or in-path interception. The trojanized files install the malicious files as well as the legitimate files to, seemingly, obfuscate the installation of said malicious files. Additionally, the files will alter Windows Defender to allow the dropping of the malicious files while preventing detection. The malware has the capability to exfiltrate any Microsoft Office files it finds. Differences between StrongPity2 (SP2) and StrongPity3 (SP3) are few. First, SP3 no longer uses libcurl and only uses winhttp to communicate with its C2 node(s). Additionally, persistence, which was accomplished via registry key entry, is now done via created service. This service changes its name from package to package.
Impact
- Data exfiltration
- Detection evasion
- Security Bypass
Indicators of Compromise
Domain Name
- state-awe3-apt[.]com
- hostoperationsystems[.]com
- cdn2-system3-secrv[.]com
- ms6-upload-serv3[.]com
- update5-sec3-system[.]com
- upd8-sys2-apt[.]com
- mentiononecommon[.]com
- safecopydisk[.]com
- network-msx-system33[.]com
- upd32-secure-serv4[.]com
- mailtransfersagents[.]com
- secure-upd21-app2[.]com
- syse-update-app4[.]com
- app-system2-update[.]com
- mx3-rewc-state[.]com
- fileservingpro[.]com
- inhousesoftwaredevelopment[.]com
- system2-cdn5-mx8[.]com
- upd-ncx4-server[.]com
- apt5-secure3-state[.]com
- file3-netwk-system[.]com
- upd3-srv-system-app[.]com
- system2-access-sec43[.]com
- service-net2-file[.]com
- updt-servc-app2[.]com
- ms-sys-security[.]com
- ms21-app3-upload[.]com
- awe232-service-app[.]com
SHA-256
- 84942df440c892c1e63aff41d9fe4694ea4b8a9102c62faf07c4510671abef13
- c59544a76fd425b76d7d9b4805d817c8a91a6a63c9862200c927e27efcd20bfa
- bdbc514e274d70e260620d9b7dcfc3ee4cf4eb321474dfbd1eb81d2f17cebc23
- b75fbe3b21d83e2000928349d1610f292e1a4c072fd0454309fe1c6c7d85ff46
- 5cb8f86e03a544531d972e132c81d6785b66dd1b15b6c35a0a04fd83a8bed695
- f8c953a9b737c5fe69ab9cfb5b20d576f15396a40de10ea6c3216042a97132f4
- 783b3c61a4069f0325f3560ab9664ff5fb381f37b08a3d4eb4866ba6bc194135
- 3e58d7efc5e03bd06f227041e5c73f4ecfa5e35ca8419a9ff8b8571eafd34e48
- c72bf8537fc189b81855666d7f59ad8e24011c735921a15932275757a485e7a4
- 17adbb68c3410d3f1c4c19b1808149e74148839f1c082c3011bff86ddb71acb4
- dbd6393bf96518218b4f4522aef4ffa27e517cbce7252841b86031354aec031a
- e4135bfeda1de00c3834f7782b77fdb2811f5d07fc60f643553426d9e45b664c
- dd40b8ddb5a5795536a65cc0ab6dcc84862d4e14965cde6b4e9ad2b89a0e3905
- e80034618538abc1c86a7021ab869c4ce63429d35adbaf8c07ce25f297a61bd2
- 3ce08ada9cf964789ce70fd2637ded197ac5b154e0b71e9cdb4d99de7ab52267
- 02d68d2a9b62d1fd79c80e7c01182d18966a8fccc07d997b0f4c3ef71e87910f
- d0ee66f8be0ed721774391365604de70dda4751213a667812e4c4a661f71559d
- 80ad6598f6e0b7c2b7258cbb69aa782dbcac308ca3d9d451b9bb5290b943a58f
- 5190c4fbddb2bfd08ce4a11714ec54dcaf57978f6193720c5b2c7127ef2c5f1f
- 2c3b3c085b3992ab105bbc4696391f4f81374c54bb8966e53d2b2de8b7648681
- 2b62a469fa9737dabc52840a741a7d71c86c74bd6909c30cb481e2d66e0df75e
- 835a545fe93bfa75931079ef36169bfc56906f74b9b9862848ff79534b33f416
- 3165650b667f315eae56895ee2041ffb17f89a92b034efd045f5e88bf788016d
- fad11a279c6fe195f8110702f962c5296015344da17919b361f73f7f504063ca
- 3feb6ecbc3b5f4ef64cf974fc117e58ac750188c483c488dd5b5970263bfdb0e
- 5b5b0a0ff8e5bdf11657e0134a638a818e31af9517e5feffea247eaa2660ee23
- 4282ac2c4b38f2fa79b3f77f9af80053befb69634f8e93d9e1941a600ae08857
- c790e1916a475fbc18e7f239acf0d9399234cf2160529ba25ab44179674d549a
- 154f3f4338184bc113dc874de6270a025d6d9c3d2a989f2b32d7d90fa222e0c9
- 211aae5346741680cb921d73e2833368cd0f0cc36e15b16115599554dcb2386d
- 2ed2553ec6efdf24266be1eb812ab1978ec926d1b8bf281a547be2e43173eeee
- d63533bb200525a0a88a68c592c8d4f534fcf83b0acf8ec6be24b7059b0352ae
- a6298a1b8c9844764c731327bb1daa7abd50cd85b9f5556e38bd5c88b8184cc4
- 8e670fc7e22d0fa3eb96262686bd7eec18f81e3dc1eb9b55526078ffd9ae00c3
- b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4
- 55e83292bd9a1f843639bfb98648a40b931a9829d62e6b23904034c417ffa430
- 24e8f4917bb3cf7d6fd91fc1c95e978ea75a0e6da9033911e48b0fda94be62af
- e2cd8fd988a9a08f4bd73d7343ae54e68ee2a0a4728277792115edc86900e899
- a4377256776becf75f0f61874cfec3729e17e894f5c9fc1576321f0398142878
- ea4b507c3236b56ef4ea44f5ac9a531a175d643d184e356ae8833d36c1957372
- a1ce1b78cc1a9d6092b086f2d0796cde519033ec0935d9cecdea86b6cda87882
- 55b0bc3b61ee76561ffaa1323fd20a9522e786bfa5eadbba621582ad529ff9e1
- c1787de8b5a293197582000d8b94095d8377a5d42aa0b4940a7039cbf4df4b72
- 11849a6fcb76267676532422db4e9bf4f5c8c525fea0d950f844736bedb8b53e
- b1916e7de11e87fa45c222d0532955e781f6695ae0ee15775894d3b3aa72ba98
- 68f5819687e8f410dea315f32cd04e33ca7c3ec62e9bb9bae9e03b5ded29970e
- c936e01333e3260547a8c319d9cfc1811ba5793e182d0688db679ec2b30644c5
- a83a882fbe094f4d00a8dc589869adc8a1432a966295fa0c46c2afcced3aac1f
- 2ab2a6e863538b162b0c7b4287b3e9f65116a9ad9efce6ebb9018c69bbf71460
- ea750383d3af605e5cdf2647b9cd30886aa8a428b3bcf6bc96cc178c9afa78d9
- b4548a933d5a59d096d75ad4c6aec1046017a62ca2a1d59edd2d97d760dca1eb
- 03c314990a8d262530f114092c85fd9ddcbd8c423f8bd769864809d1af2f5fad
- b1413688f6452b07129e5182311c7efd628bb795613c23fc58c4202e38dda4e7
- 8e3993583cd2506ccbac4b247949ddee7d6971432576a0f9c485f9f0942054ae
- f1a3c2bd241e09f4e98ca15c0d3d804297086c84883d81bb8b74960c6e986555
- 44ba0bfe401a07f4570fd3ca26f5955350ac831a21326face55465f8d9a7ec52
- 418203a531ceb1f08a21b354bc0d3bf8f157c76b521495c29639d7bffa416b38
- 2a7898573bd8be121eda249e7521efd2d599354d51fabae7edafef9d60dae8b1
- 40e99d0dfc27c66170ed57610a1c3cc9a0b6e87a0d544d739f828f10faf2758b
- ff8b71b7e9b320d272babb15324b7417f182313f71c4af0b9961424a12154b66
- 3a96f09255af4eb1d3fe3ea6dd4befc71543ef317b1d9f9561255a725eb48a62
- fa68aa01fad37dd7e7d6222ef833ec4e63317c0821a45834dfe284fdafb9069a
- bac8489de573f614d988097e9eae53ffc2eb4e7dcb0e68c349f549a26d2130a8
- 89f1a82f4919db731cc4a5c5a71fbe1a9a1d362b6da61b018c89ea2cd26c0de3
- c2c333a5f46eb5894f05f3323ab8aea87b3c2e9ba0221c28dcf46b0842592ac6
- 6f0b9fdc7edf43a9d1262263320e623a7e2b349f54185491262fe5184413222f
- 6684c2348d205962d41977b2db6263733809b635cdc039447373c34e04d6bc20
- ed2aa3272db6eebedcabbb3c61cb699e6ec5d91b4297b8a6186a03f5b4999a80
- 18c6224decd141a6412f3d2aa71dbd086e9a71bd51b3baed1cb2b2715d676872
- d77901484e91445d8d11b82ff487b9e56b48930fe3086e5858ea754e9f490c1f
- d912445a5e8beda7e842756fd6e598d91ef0526c913a6f1e6135957f19fa64ca
- fa71584f27f5eacca9f3d5644fd06ccebcc14b8394efeaccd38259f8382c26e5
- 586fc08567a69f4abbafd05c98be469dfaaa9b93eaccc5043dcf22d2b666bf63
- fbd66a4f385e8c573c51c19a49c7e9c2ffa1639f4648721591b7ea0af845a313
- e26a76def39740596843a57c3edcfe9f5000af5f5b538215a5799db58f41fe33
- fcfd34f99b0a5f4bb91c0d6eaa9b2fdcc3bf9b3dd594213a389a056828a537c1
- f694f02ee26d544ad41f543ecd166bd71d02b3723b8a5ee515a9c2944a667971
- 12e670dc36ac50e86a58f759fa4a5de25e574227a19e1942aaa788c82540a910
- e8e2f7538530b6ea3f4726b13bf76c4e0696cdaf1a0547294b447c21df1c594d
- 4ee465d58613c03c15c0e92728bba76a065149d4773a1ce59c76d414d70fb190
- 4235f33576b503faacbafb1b612f5fdf91fb406e73964f61064f232bd2b9c21c
- d8d0c3854c54e2bacb40ead54d94268dda6ea6aef1ac1f78b8d10b990a4441a2
- 39cf2459a85f9b8bcc81233964e05dec3f5ec9e8de74329f995c6a0cc8a8db36
- dd812ba2bc5f441d8a9594443040f8fea7e3f91bdf1dd1968bbbbc7747e0bc68
- e4c55a5b1c07d93b2ae956f7404279c1a68344e7d27e6a3aa917c79c17f7fa05
- 2ee74ceaa5964cf223aefb3cf4e0c25ea96c7d4bc0eba48439716e763d2f3837
- 65041a83c88ba90e489de8ac275688815c51b93ae568c627b74fc160d2db6bab
- 7ae0aa490bad2fa152cd097caaaebfcef7a393a74e886a02b22109b38a4d9fc4
- e843af007ac3f58e26d5427e537cdbddf33d118c79dfed831eee1ffcce474569
- 1af0958f8590b626bedfcd1972cd3ea49d9576db86f1e768e5520f9615d01a19
- cac5c0da0b4495a1dee326e4259fb8bcdecb162a780d0d215ad33e751ebbff34
- c94e52455826c63a8800e6a66d72db467e1266f3b06aabbaad14c0d7463ee266
- bb4628f0b29d906f1ec4c41a5fe5f7fe1b53432b765d5ef0a560e8d2ef5e5541
- 6d4af9f7e14e1ae7f871cd0bcdd87927cde8d236fd9d37e76554729abe3e31e4
- 6424307ea25f1889e4b9fb8a64d860e42681cddf71a5a70af7963ab282225c8d
- dbf3e5bb9b7b5806d831617fbeed088d56fc2f5794a833d24eff96c165ba417b
- 64a448ee194fe58c8c212faa4fbe737f8088ef387cc4551a0f1d86e9d4bdab02
- 9ce65cced9949cef6b69f86542533e653b91ce7d43cb6b51e8ae402b6dadf651
- 61f8dc6d618572a86bd0b646d16186bb6b0fff970947a7df754add4f65ec8625
- 91e20fb663b1809279666fb1e7ef7bd8da42ae51e0c05b51515ba851e2a991ac
- d40a3503a960663187a83f560e94563cd11606a610a4b176b0ac065af037f175
- 7c195b85528b3ed75672fbcea0d32a2f45d541cf8c71e855b03d6266a8facdc0
Remediation
- Block the threat indicators at their respective controls.
- Do not download files from random sources.
- Keep all software and browsers updated to latest patched versions.
- Only download software from authentic and official sources.