Rewterz Threat Advisory – ICS: Siemens SIMATIC S7-PLCSIM Denial of Service Vulnerability
March 12, 2021Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities
March 15, 2021Rewterz Threat Advisory – ICS: Siemens SIMATIC S7-PLCSIM Denial of Service Vulnerability
March 12, 2021Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities
March 15, 2021Severity
Medium
Analysis Summary
A ZIPX attachment with spam messages is detected distributing malicious file that ultimately led to a NanoCore infection. In earlier campaigns, same method has been used to deliver Lokibot.
The emails, claiming to be from the Purchase Manager of certain organizations that the cybercriminals are spoofing, look like usual malspams except for their attachment. The attachments, which have a filename format “NEW PURCHASE ORDER.pdf*.zipx”, are actually image (Icon) binary files, with attached extra data, which happens to be RAR. If the attachment successfully evades any scanning email gateways, the next hurdle is the victim’s machine, which needs to have an unzip tool that can extract the executable file inside the attachment. The archive utility WinZip and WinRAR yield similar results when extracting the EXE file from the current .zipx files. WinZip does not support unzipping either of samples whereas WinRAR managed to extract the EXE file contained in both samples.
Impact
- Detection Evasion
- Unauthorized Remote Access
Indicators of Compromise
Filename
- NEW PURCHASE ORDER[.]pdf[.]zipx
MD5
- 45c835e4b86073bc3f9edaa27bc41a89
- 507200d400755bcc62ae9a757d01990f
- 922d4f5923154da460d11b5837764536
- d60ee54c1f4a554fe49a176dbd134a3b
SHA-256
- 4fd4456433090cb1cc076463b7cb20116243d4996a7284cfe539bfa4d25ae929
- 1dd3771ad86a68f08bf75e3e330f8548283dc1909d5e69ae694aeb4f5f9be3ed
- 9653d7bbee740884067ab7deb5a6bfa87a39efd126a1e906d88c06569afa9d69
- d2e897665e02d48a99beaa5a6ab7ff7a299e631564603b4306ca5fcbbd299602
SHA1
- df46a893b51d8ade0ccdef7e375fb387e2560720
- c93fba54357e90235202f58da1feff7ab1142f65
- fd958c365b6bfa5ef34779831773ec92c041a5d5
- e99f6b9bd787679666f8c54b9a834d6acecfa622
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.