• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-10055 – ICS: Siemens Desigo CC
August 13, 2020
Rewterz Threat Advisory – CVE-2020-1455 – Microsoft SQL Server Management Studio Vulnerability
August 13, 2020

Rewterz Threat Alert – Script-Based Malware through Internet Explorer Exploits

August 13, 2020

Severity

High

Analysis Summary

Researchers have analyzed two samples of script-based malware. Both sample were distributed by exploiting CVE-2019-0752, an Internet Explorer RCE vulnerability. Specifically, the exploit is used to to execute PowerShell commands to download the malicious scripts. The first sample is an obfuscated JavaScript file that contains two packed pieces of JavaScript code. The first piece of code is saved to a registry key while the second piece is saved to a JSE file, the path to which is saved in a Registry Run key. The saved JSE file is then executed and the initial JavaScript file is deleted. The JSE file is responsible for running the code that was saved to a Registry key by the first script. This code in turn establishes a connection to the C2 server and processes any commands returned by the server. With this C2 connection, attackers can execute commands, download files, terminate the current process, and reboot or shut down the system. The second script-based malware sample analyzed by Palo Alto is a compiled AutoIT script. It simply acts as a downloader for additional payloads, which could be any variety of malware, such as ransomware, spyware, or RATs.

Impact

Persistence on the target system

Indicators of Compromise

SHA-256

  • 751D161ED4AFD822925C0373395F014578F166467D20A4B1ADFDB27FD0A83C36
  • CCCF25DCD1FA16017B2ACCF4BC501BE583824423FC3A09779116AE07D833F2B2
  • BA60EFE2E939DA16E3D240732FDA286FBD3DB3A0F06CB12D7042C7FAC9B82B86

URL

  • hxxp[:]//assurancetemporaireenligne[.]com/c[.]js
  • hxxp[:]//seemee[.]ddns[.]net/loader/loader2/www/loader[.]php
  • hxxp[:]//seemee[.]ddns[.]net/loader/loader2/www/cmd[.]php
  • hxxp[:]//dark[.]crypterfile[.]com/2[.]exe
  • hxxp[:]//dark[.]crypterfile[.]com/1/desktop[.]exe
  • hxxp[:]//dark[.]crypterfile[.]com/1/99[.]exe
  • hxxp[:]//dark[.]crypterfile[.]com/1/Calc[.]vbs
  • hxxp[:]//dark[.]crypterfile[.]com/1/calculator[.]exe
  • hxxp[:]//dark[.]crypterfile[.]com/1/calc[.]exe

Remediation

  • Search for existing signs of the indicated IoCs in your environment.
  • Ensure anti-virus software and associated files are up to date.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.