Rewterz Threat Advisory – CVE-2020-12030 – ICS: Emerson WirelessHART Gateway Access Control Vulnerability
May 18, 2020Rewterz Threat Alert – RATicate – Information-Stealing Malware
May 19, 2020Rewterz Threat Advisory – CVE-2020-12030 – ICS: Emerson WirelessHART Gateway Access Control Vulnerability
May 18, 2020Rewterz Threat Alert – RATicate – Information-Stealing Malware
May 19, 2020Severity
High
Analysis Summary
A new Trojan (unnamed) being spread as a visa application. The legitimate application is encrypted within the dropper used to spread the Trojan. This particular malware contains a 32 and 64-bit next stage malware. Using little known HTTP status codes, the malware operators are able to command the Trojan on its next steps. The malware is able to acquire the target’s geolocation, gather host and network data, keylogging, and screenshots. The Trojan is self-propagating and has a dynamically resolving address to further complicate analysis. In order to exfiltrate data to the C2, the malware uses RSA encryption. Additionally, the Trojan is able to hide data locally using LZNT1 and a one-byte XOR encryption. At this time, it is unknown how the malware is added to systems, however, the analysis revealed the first stage dropper was downloaded from a shared directory on the local area network. The Trojan is able to use .DOC and .PDF files as transport for delivery of the main module. It is within this module where the HTTP status-based Trojan resides. As long as the C2 supports TLS in its configuration, communications will be over HTTPS and port 443. If TLS is not supported, all communication is over HTTP and port 80.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
IP
- 95[.]183[.]49[.]10
- 95[.]183[.]49[.]29
- 200[.]63[.]45[.]35
MD5
- A6AFA05CBD04E9AF256D278E5B5AD050
- 1BB03CBAD293CA9EE3DDCE6F054FC325
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Search for IOCs in your existing enivronment.