Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020Rewterz Threat Alert – Emotet Still Active – IoCs
July 24, 2020Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020Rewterz Threat Alert – Emotet Still Active – IoCs
July 24, 2020Severity
High
Analysis Summary
Maze is found being spread in post initial access phase. The loader this time is a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks.
This loader has been leveraged in its unpacked form being directly downloaded from (hxxp://37[.]1.210[.]52/vologda.dll). The loader SNOW uses the following tools.
- Mimikatz
- Metasploit
- Cobalt Strike
- PowerShell
- AdFind
- Koadic
- PowerShell Empire
Impact
- Theft of sensitive information
- Credential theft
- Unauthorized code execution
- Files encryption
Indicators of Compromise
MD5
- ea7bb99e03606702c1cbe543bb32b27e
- 6099bbf0f6f85495929ddfc9b66d6992
SHA-256
- fb71eaae22e6d93286d10228fc08229b1edf805e5817f698accfe2ec18968458
- d6d98da42bc495153168a6e7fceeebb599f9ed3e3a95ca67c301a66b50f34bd2
SHA1
- 85e38cc3b78cbb92ade81721d8cec0cb6c34f3b5
- 07849ba4d2d9cb2d13d40ceaf37965159a53c852
Source IP
- 37[.]1[.]210[.]52
URL
- http[:]//37[.]1[.]210[.]52/vologda[.]dll
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions against all known security vulnerabilities.
- Maintain a strong password policy.
- Enable multi-factor authentication where possible.