Rewterz Threat Advisory – CVE-2020-10055 – ICS: Siemens Desigo CC
August 13, 2020Rewterz Threat Advisory – CVE-2020-1455 – Microsoft SQL Server Management Studio Vulnerability
August 13, 2020Rewterz Threat Advisory – CVE-2020-10055 – ICS: Siemens Desigo CC
August 13, 2020Rewterz Threat Advisory – CVE-2020-1455 – Microsoft SQL Server Management Studio Vulnerability
August 13, 2020Severity
High
Analysis Summary
Researchers have analyzed two samples of script-based malware. Both sample were distributed by exploiting CVE-2019-0752, an Internet Explorer RCE vulnerability. Specifically, the exploit is used to to execute PowerShell commands to download the malicious scripts. The first sample is an obfuscated JavaScript file that contains two packed pieces of JavaScript code. The first piece of code is saved to a registry key while the second piece is saved to a JSE file, the path to which is saved in a Registry Run key. The saved JSE file is then executed and the initial JavaScript file is deleted. The JSE file is responsible for running the code that was saved to a Registry key by the first script. This code in turn establishes a connection to the C2 server and processes any commands returned by the server. With this C2 connection, attackers can execute commands, download files, terminate the current process, and reboot or shut down the system. The second script-based malware sample analyzed by Palo Alto is a compiled AutoIT script. It simply acts as a downloader for additional payloads, which could be any variety of malware, such as ransomware, spyware, or RATs.
Impact
Persistence on the target system
Indicators of Compromise
SHA-256
- 751D161ED4AFD822925C0373395F014578F166467D20A4B1ADFDB27FD0A83C36
- CCCF25DCD1FA16017B2ACCF4BC501BE583824423FC3A09779116AE07D833F2B2
- BA60EFE2E939DA16E3D240732FDA286FBD3DB3A0F06CB12D7042C7FAC9B82B86
URL
- hxxp[:]//assurancetemporaireenligne[.]com/c[.]js
- hxxp[:]//seemee[.]ddns[.]net/loader/loader2/www/loader[.]php
- hxxp[:]//seemee[.]ddns[.]net/loader/loader2/www/cmd[.]php
- hxxp[:]//dark[.]crypterfile[.]com/2[.]exe
- hxxp[:]//dark[.]crypterfile[.]com/1/desktop[.]exe
- hxxp[:]//dark[.]crypterfile[.]com/1/99[.]exe
- hxxp[:]//dark[.]crypterfile[.]com/1/Calc[.]vbs
- hxxp[:]//dark[.]crypterfile[.]com/1/calculator[.]exe
- hxxp[:]//dark[.]crypterfile[.]com/1/calc[.]exe
Remediation
- Search for existing signs of the indicated IoCs in your environment.
- Ensure anti-virus software and associated files are up to date.