• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Mekotio Banking Trojan
August 18, 2020
Rewterz Threat Alert – AZORult Malware – IOCs
August 18, 2020

Rewterz Threat Alert – PurpleWave—A New Infostealer from Russia

August 18, 2020

Severity

Medium

Analysis Summary

Infostealer is one of the most profitable tools for cybercriminals, as information gathered from systems infected with this malware could be sold in the cybercrime underground or used for credential stuffing attacks. Researchers came across a new Infostealer called PurpleWave, which is written in C++ and silently installs itself onto a user’s system. It connects to a command and control (C&C) server to send system information and installs new malware onto the infected system.

Upon execution of the PurpleWave binary, it gives a fake error message in the Russian language that can be customized by the attacker in their panel. But in the background, it performs all of its malicious activities.

Fake error message (translated:Memory control blocks damaged)

The name of the stealer (PurpleWave) and the version (1.0) are hardcoded and encrypted in the binary. Most of the strings in the binary are encrypted, but they get decrypted on runtime with the help of the decryption loop present in the binary .The PurpleWave binary creates a mutex with the name “MutexCantRepeatThis” to avoid multiple executions of malware instances. After that, it sends the HTTP POST request with the custom header and body to the C&C URL to get the configuration data.

Impact

  • Information theft
  • Exposure of sensitive data 

Indicators of Compromise

MD5

  • 9e4d3f4439ed39c01f3346fbdb7488ae
  • ac17a56355914e231b2ad52e45d6f779
  • 30898909fd4bf93fe23c62e6962bed11
  • b5fb35be12c66f16f55af2c2abc77e55
  • 394298eed78d455416e1e4cf0deb4802
  • b18bcb300ae480b16a0e0b9110e1c06c
  • 02350ffa6b82cd2079797ed4ba1dd240
  • 01c8d886bd213f983d0fd5ad35d78a9a
  • 7a728f42940f5bcb50ac9a5c57c1d361
  • e23ded17cdf532790f708e8a550969eb
  • 0212eb9562992da05ab28effb9d64d8a
  • 53bc8e68a9028c58941b78e4ad867b83
  • 657c3ddaff433067c7f74f3453c7eb37
  • bc693652d5f57e792551c3a62049ba0b
  • e770544551f94296b9a867e42435206f
  • ad24a6614c528de81283fe4a618682c7
  • d8a36dce73e91780b52b6f387c5cfd78

SHA-256

  • a3714c4409ab0020bd29ac0ec2ab5600b1a14de23be9e15b9b7271b0044070da
  • d820ec7f9196a5cc3dbc2b5860334a2e174fede80efc3b8463756fb8767dddf9
  • eddb45dfe783cb38e0597ba1a04b8fe9cdc126970dba9287f7325e05f62329ce
  • 77db7f8715797944c651f23ef60a033b7e84ce76dedabe1e5de359715a8de1aa
  • a70bbb5e3e77de0cce83a4631fd8b078d645b33f9578168a7f18734eb4c1f38d
  • 4b3cb90581dcd77c9ceffbd662b8dac70b68de5a03cd56940434cc035209d61d
  • 7de7b866c46f34be28f7085fb1a1727ab939d65abd3128871fb68c42371af2df

SHA1

  • fa2a087f838f4ba878712e604110435d992e0951
  • 027ed0ce372846f0906011392d9add7cb8cfdbf9
  • 597713b0225680528e9a9154a7acca984ef67075
  • d8d97ae6c7356168bde0a4426d4d9dc311921ded
  • 3dd8e1d7006eb1f27d54ca6f2c80f1b7dab23706
  • 9af3260f4ee0a6318db721d478a39fb91889e717
  • 5f40b43fdc5f9303f4107ca4ca17dd3db6025503

URL

  • http[:]//bibaiboba[.]beget[.]tech/config
  • http[:]//bibaiboba[.]beget[.]tech/gate
  • http[:]//h98801x4[.]beget[.]tech/config
  • http[:]//h98801x4[.]beget[.]tech/gate
  • http[:]//ikaschyn[.]beget[.]tech/config
  • http[:]//ikaschyn[.]beget[.]tech/gate
  • http[:]//manget6z[.]beget[.]tech/config
  • http[:]//manget6z[.]beget[.]tech/gate
  • http[:]//sh1213709[.]a[.]had[.]su/config
  • http[:]//sh1213709[.]a[.]had[.]su/gate
  • http[:]//sh1213709[.]a[.]had[.]su/loader/9ZNzBRpT
  • http[:]//sh1213709[.]a[.]had[.]su/loader/Ds5UabYT
  • http[:]//sh1213709[.]a[.]had[.]su/loader/Kv2TDW4O
  • http[:]//sh1213709[.]a[.]had[.]su/loader/MTIQK8lV
  • http[:]//sumakokl[.]beget[.]tech/config
  • http[:]//sumakokl[.]beget[.]tech/gate

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.