Rewterz Threat Alert – Latest Emotet IOCs
July 14, 2020Rewterz Threat Advisory – CVE-2019-4591 – IBM Maximo Asset Management security bypass
July 14, 2020Severity
High
Analysis Summary
Researchers have analyzed a new TrickBot module that appears to have still been in development and unintentionally deployed in the wild. The module, named “grabber.dll,” was discovered being loaded by a TrickBot sample with the gtag “chil48.” The module version was listed as 0.6.8 and its purpose appears to be for browser data stealing, such as stored passwords and cookies. Strangely, when loaded, the module opens a browser window that displays a warning message about the stealing activity occurring. The researchers hypothesize that this is likely a test module that was not supposed to be distributed to victims. Furthermore, it may indicate that legitimate coders are being hired under the ruse of developing anti-malware software to help develop part of the code. They also noted that another module associated with this sample was discovered, “socksbot.dll,” that handles Socks5 proxy activity.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
MD5
- 57103CAE44BA3FA21804EBC9BF702B1F
- 382A62908E86BB1F333EC99B17A38930
- 4BE2C925E06F6CABB3D3761B8D3A3D11
SHA-256
- 38828f9550533168b66b455b31924b06e89ce368b463738f92facff0f84ef261
- 06c0a7b860eb2e562c8704ae0c362d7aba902cd94f80a183eda1444c4f78984f
- 2a1ce52e596fc8d8ca40b978302eba722e2ce013dd7c604a5d8de855130d420b
SHA1
- 6068d2d536a19a5b160d9d037959f6ff5e418a3c
- c14d8427bfac708ea611b7b631055cee8deaca1b
- 5da253bb3c7b8c19f871a7fd2576affc5ad8c4a2
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.