Rewterz Threat Alert – Dridex Banking Trojan – IoCs
October 1, 2020Rewterz Threat Alert – PayPal Squatting Campaign – IoCs
October 2, 2020Rewterz Threat Alert – Dridex Banking Trojan – IoCs
October 1, 2020Rewterz Threat Alert – PayPal Squatting Campaign – IoCs
October 2, 2020Severity
High
Analysis Summary
An unspecified “sophisticated cyber actor” is found using malware to launch cyberattacks against targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine. The malware dubbed “SlothfulMedia,” is an information-stealer capable of logging keystrokes of victims and modifying files, according to an analysis.
The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP). The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.
Impact
- Information Theft
- Unauthorized Remote Access
- Data Manipulation
- Credential Theft
Indicators of Compromise
Domain Name
- sdvro[.]net
MD5
- 448838b2a60484ee78c2198f2c0c9c85
- 9f23bd89694b66d8a67bb18434da4ee8
- 92a40c64cea4a87de1c24437612f2e0f
SHA-256
- 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
- 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
- 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
SHA1
- f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
- db8c6ea90b1be5aa560bfbe5a34577eb284243af
- f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
Remediation
- Block the threat indicators at their respective controls.
- Maintain up-to-date antivirus signatures and engines.
- Keep all systems and software patched against all known vulnerabilities.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).