Rewterz Threat Advisory – ICS: Siemens KTK, SIDOOR, SIMATIC, and SINAMICS
April 15, 2020Rewterz Threat Advisory – ICS: Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC, SINEMA Denial of Service Vulnerabilities
April 15, 2020Rewterz Threat Advisory – ICS: Siemens KTK, SIDOOR, SIMATIC, and SINAMICS
April 15, 2020Rewterz Threat Advisory – ICS: Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC, SINEMA Denial of Service Vulnerabilities
April 15, 2020Severity
High
Analysis Summary
The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment. SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.The custom RAT also offers persistent access and lateral network movement.
Recently, targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses. The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component. The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT. Once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The three additional files make up SDBbot; there’s an installer, a loader and the payload itself. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network. It was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses. Analysts expect that this group will continue to target a wide range of industries using social engineering to deliver open-source and custom malware, while constantly adjusting TTPs and C2 infrastructure to evade detection.
Impact
- Credential Theft
- Unauthorized Remote Access
- Data exfiltration
- Network-wide infection
Indicators of Compromise
Domain Name
- drm-server-booking[.]com
- microsoft-live-us[.]com
- dl1[.]sync-share[.]com
- office365-update-en[.]com
- d1[.]syncdownloading[.]com
- googledrive-download[.]com
- update365-office-ens[.]com
- office-en-service[.]com
- news-server-drm-google[.]com
- drm-server-booking[.]com
MD5
- edbe98468cd888bf029bc8e297a310b3
- 994104c30d57141a99e0e414ef2d8837
- ab9103c8fd35ec7b5a99e463a2f8fc59
- 61b94dfc9bea1a876b140a72c450e4bb
- cd1096991867bb5ad72b983441bfe04b
- e14d7460f62a122d85a2ce1b69080497
- 0fdb43fc559a35afcc422b786f45a997
- bc59fa5dbb11f5d286fc41e8f25c6cc0
- 888fa9c56b06cf6255142e2c592b2437
- 945fff5b2d903ccc0787f41a9ba6df98
SHA-256
- 7be0da2a873fe10fadb76b241460badbd5d6533237e99ca7a59f4b6676edcc33
- a04d0cb7362e3650239230b40fac1d2d42357cec1ded2e78456e49dd6713b470
- 1cbad7cdb6a27a48c98a75b28ca2c63116440dd7891f7300e2109d36b8aae7a1
- 169f8f4798d048e1c50dac25417ad639b951571a371346401cc981d677b2d5ac
- e12e250047a8074c9f68199b81b05414ec5461a9e94af225ba3896948dad882e
- c850d3b6c9a8a8af6072e79fa1430bb1d2290d2b59ccfe6b2edb5a6de1464326
- 50bf52cbfcdfa125120b7b7b79218a0a09cbd8b5fac4db1be35dc63f7e557ec8
- 0e40ba8c2c0a2fcbb5290d131bb42651f90f33f5e230556736a5acb4ffd4251d
- 238d40bbc430c6098a8ad4682ac3722e36b1d2e91fc9030124e5152b6b186e94
- bc7ea56a2dd0f7a2db378da4565c6fe97968e1387f2e16d3adb82fd75e53d33a
SHA1
- bf0f7abda2228059bb00ec9658ee447fbe84d277
- d40510da42a478d72e649993208710668a7f6c27
- 0cc7cca16afd632857e3883c06b2f55c057b563e
- d36e983886a084887f887c6d562d3bc0664587c4
- fea7d944e317c7b2ef1aba57600a8c5310368085
- 35423e04e58ab1f2267e19c47e1c69ea5b7041cc
- fd9620c0c295caaee3096423532bb1dbfb7064c5
- cb0b39534d99057b02b090c3650fb1de43d19a02
- caff1d315a5d87014e5fa62346f58407755d971e
- 45c43ec18d15ba7850e6ad2e2e54671636f4d926
Source IP
91[.]214[.]124[.]25
91[.]214[.]124[.]20
185[.]176[.]221[.]45
URL
- https[:]//clck[.]ru/JnFFT
- https[:]//clck[.]ru/JnFFT&data=02|01||bed42450519b40df
Remediation
- Block the threat indicators at their respective controls.
- Do not download unexpected files coming from untrusted email addresses.
- Ensure employ awareness about latest phishing emails and subjects.