Rewterz Threat Advisory – Update fixes IE 0-day RCE vulnerability and 74 other flaws in Microsoft Products
November 13, 2019Rewterz Threat Advisory – CVE-2019-11135 – Intel CPUs Vulnerable to Variant 2 of #ZombieLoad Attack
November 14, 2019Rewterz Threat Advisory – Update fixes IE 0-day RCE vulnerability and 74 other flaws in Microsoft Products
November 13, 2019Rewterz Threat Advisory – CVE-2019-11135 – Intel CPUs Vulnerable to Variant 2 of #ZombieLoad Attack
November 14, 2019Severity
High
Analysis Summary
A multi-stage vbs downloader is found being delivered to targets via malspam campaigns which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/
Contained on this server are two files, Review.php, which downloads Microsoft.hta. This file is a JavaScript file full of URL encoded characters:
Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:
https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.
The RevengeRAT is known for targeting government entities, financial services organizations, information technology service providers and consultancies.
Impact
- Unauthorized Remote Access
- Credential Theft
- Data Manipulation
- Financial loss
Indicators of Compromise
Domain Name
newdocreviewonline.3utilities[.]com
MD5
- e3edfe91e99ba731e58fc2ad33f2fd11
- b7927fd753061058bc67178c3bddf110
- 2433eaa83c9cdf9d1fbd33490f17067a
- d6a5cc000867f5778c3f761ea5a35d63
- d85f8899ff755d4e46ee47305937ec57
SHA256
- 9ada62e4b06f7e3a61d819b8a74f29f589b645a7a32fd6c4e3f4404672b20f24
- d86081a0795a893ef8dc251954ec88b10033166f09c1e65fc1f5368b2fd6f809
- c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10
- ced8be6a20b38f5f4d5af0f031bd69863a60be53b9d6434deea943bf668ac8d8
- 68dc6680befd948e2476fba139a53b7cce5471efe3aa3cadcb2feed714073091
SHA1
- 2108e82d020ef7a0bcb61df031b96cad2232e892
- cc34ab40bb24dd840395a68273c427fc9b50d264
- 7fc512ac0768b3e6b224453f6c4578218857b3c1
- d6040c2fc8b6006acfa1612ecaa36bb7740bc28e
- 1f503a1551d2598c5e65e95297454e19e9ccbfbb
Source IP
- 193.56.28[.]134
- 185.84.181[.]102
URL
- hxxp[:]//newdocreviewonline[.]3utilities[.]com/
- hxxp[:]//newdocreviewonline.3utilities[.]com/2/
- hxxp[:]//newdocreviewonline.3utilities[.]com/1/
- hxxp[:]//newdocreviewonline.3utilities[.]com/microsoft[.]hta
- hxxps[:]//scisolinc[.]com/wp-includes/Text/microsoft[.]vbs
- hxxp[:]//britianica.uk[.]com:4132
- hxxp[:]//185.84.181[.]102[:]5478
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to emails coming from untrusted sources.
- Do not download files/visit links attached in untrusted emails.