Rewterz Threat Alert – Shodi Malware – Active IOCs
March 22, 2022Rewterz Threat Alert – InvisiMole – Active IOCs – Russian-Ukrainian Cyber Warfare
March 22, 2022Rewterz Threat Alert – Shodi Malware – Active IOCs
March 22, 2022Rewterz Threat Alert – InvisiMole – Active IOCs – Russian-Ukrainian Cyber Warfare
March 22, 2022Severity
Medium
Analysis Summary
French entitites have become a target for a new backdoor called “Serpent.” The backdoor uses Chocolatey package installer to deliver the backdoor. The threat actors have constructed a GDPR (European Union’s General Data Protection Regulations) themed lure. Once the macros are enabled, they are executed, and reach out to an image URL. A hidden PowerShell script on the image URL then downloads, installs, and update the package installer. Chocolatey is then used to install python and python packages.
The “Swiper” image which is encoded with the PowerShell scripts used to download and install Chocolatey and Python and fetch another steganographic image.
Impact
- Information Theft and Espionage
- Exposure of Sensitive Data
Indicators of Compromise
- no-reply@dgfip-nanterre[.]com
- jean[.]dupontel@protonmail[.]com
Email Subject
- Candidature – Jeanne Vrakele
MD5
- 321e04294c04db10d5dbf05051e540e2
SHA-256
- 8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19
SHA-1
- 2d6f1ed1236727b36a92dd44cd987c36d6fb7e35
URL
- http[:]//shorturl[.]at/qzES8
- https[:]//www[.]fhccu[.]com/images/ship3[.]jpg
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.
- Do not open emails from unknown or suspicious sources.