Rewterz Threat Advisory – CVE-2020-13955 – Apache Calcite man-in-the-middle
October 13, 2020Rewterz Threat Alert – QBot Using Windows Defender Antivirus as Phishing Bait
October 13, 2020Rewterz Threat Advisory – CVE-2020-13955 – Apache Calcite man-in-the-middle
October 13, 2020Rewterz Threat Alert – QBot Using Windows Defender Antivirus as Phishing Bait
October 13, 2020Severity
High
Analysis Summary
A RYUK infection is seen targeting victims with a malicious email that carried a link to download the Bazar/Kegtap loader, which injects into multiple processes, and which performs reconnaissance on the infected system, using Windows utilities like nltest and net group, as well as third-party tool AdFind. The entire infection took 29 hours from an email being sent to the target to full environment compromise and the encryption of systems. The malware remained quiet for roughly one day, after which a second reconnaissance phase was launched, using the same tools, plus Rubeus. Data was exfiltrated to a remote server and the attackers started lateral movement. To compromise additional systems on the network, the attackers used various methods, including remote WMI, remote service execution with PowerShell, and a Cobalt Strike beacon dropped over SMB. Next, the Cobalt Strike beacon was used as the main pivotal point. Additional beacons were then established across the environment and PowerShell was employed to disable Windows Defender. Ryuk was executed one minute after being transferred over SMB from the pivot and, once encryption started, the servers used to store backups were hit first. Ryuk was also transferred to the remaining hosts on the network via SMB, and an RDP connection was leveraged to execute it from the pivot domain controller.
Impact
- Information Theft
- Data Exfiltration
- Files Encryption
- Network Compromise
Indicators of Compromise
Domain Name
- x59gc[.]com
- allrulk[.]com
- martahzz[.]com
- nomadfunclub[.]com
MD5
- 3d483689f373a12f6f9607079b9cebb9
- 9ea7a28fc686c65c01c30eece8f2e903
- 52a8527e0d7cd86b1d04ccc80eb6595e
- 826519293dd705f70297185bf5947382
- 7d11779283ce65e18f30e1cf2a62d6f6
- 704dea93ef129b6c10b5b02433b51ec2
- 04cd7e91f40c045497ffcf802c43c159
- 40b17d4ca83f079cf6b2b09d7a7fd839
- 9ff18f7a19e06b602e19b9e0aca3ad84
- b94bb0ae5a8a029ba2fbb47d055e22bd
SHA-256
- cfe670624f2af7a13e05cfc0dca3700b5c5bce8e4b58a73e712a9c3fc44b79de
- 0550ae3895700c365561c345f7414e4fb292e16fb545c2e7aa3ac70ec5f27764
- 1055df2f38b4f540a99c23ecab450a4dc032c71579f41dd8314e892b3db21cfe
- 5af1fd37cb9a1afdb327e3757238203d8ee3cee0508057a46a890b7569272c62
- 45f8ed5faa1a4dcdc384516976190f836ce3e7b9a4ba3ff7dd0116a1ea8e121b
- d8576fba423360297b0661833a0e06564230c2079db214dc6830c648e5193e51
- 8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e
- 85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad
- 9d8cbb2bf4801276de2143ccd64a7d0f66263809a90bea0b664282a15d121d9e
- f6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2
SHA1
- 78d216d54f4505bf9ede1bcd1688cbe13c14411d
- b7f78b436f616577a18e211cd4f7055543b9069a
- 84867acf6698d97c05dd986a73b9a8d602c627d6
- 52936b4188617cfb0aaeecff4297009ffc2deb61
- 046cfad64fc090029da71af720088485c309e6c5
- bf5320ca42de290abc7d618c32167d9f79debc97
- 982a86c4e65c7c86ba680ed4c016882d1aa6cb90
- 090e82a47b32dc94d71d4c84a3a76d2480589b00
- bcbb5bbc55b4f44397c34e9fca2017587e69219b
- 035940bd120a72e2da1b6b7bb8b4efab46232761
Source IP
- 107[.]150[.]59[.]162
- 88[.]119[.]171[.]75
- 45[.]141[.]84[.]120
- 206[.]221[.]176[.]24
- 185[.]51[.]134[.]195
- 5[.]182[.]210[.]145
- 107[.]173[.]58[.]183
URL
- https[:]//x59gc[.]com[:]443
- http[:]//x59gc[.]com
- https[:]//x59gc[.]com
- http[:]//grumhit[.]com/rest/t
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Implement strong password policy and enable multi-factor authentication.
- Keep all systems and software updated to latest patched versions.