• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-4306 – IBM Planning Analytics Local Cross-Site Scripting Vulnerability
June 1, 2020
Rewterz Threat Advisory – IBM Business Automation Workflow and IBM Business Process Manager
June 1, 2020

Rewterz Threat Alert – Trickbot Updated with Nworm

June 1, 2020

Severity

Medium

Analysis Summary

Trickbot, a modular malware using various binaries to perform differing functions has been updated. One module, “mworm” has been updated to “nworm” in an effort to leave no artifacts on infected DCs which disappear after reboot or shutdown. Other differences include retrieval of an encrypted and encoded binary representing a TrickBot executable file. Previously, “mworm” would be retrieved unencrypted and unencoded. Additionally, “nworm” is run from system RAM and does not contain persistence. This evolutionary change allows for TrickBot to remain hidden and, thus, difficult to analyze since no remnants remain on the infected machine. As with previous iterations of TrickBot, it is a malicious Windows executable saved to disk. This EXE is often called TrickBot loader as it is used to load TrickBot modules, such as “nworm.” The URLs presented by TrickBot appeared in the form of IP addresses rather than the typical URLs. “mworm” stopped being presented in April 2020 and was replaced by “nworm.” Two other modules remain the same and perform as previously seen; “mshare” and “tab” remain persistent on the DC.

Figure-8.-TrickBot-propagation-flow-chart-since-April-2020..jpeg

Impact

  • Credential theft 
  • Exposure of sensitive data

Indicators of Compromise

MD5

  • 53bea2686837735d76e7f8b42ec100f6
  • 6892e13a05f90fd584c4a3762258785b

SHA-256

  • 85d88129eab948d44bb9999774869449ab671b4d1df3c593731102592ce93a70
  • 900aa025bf770102428350e584e8110342a70159ef2f92a9bfd651c5d8e5f76b

SHA1

  • 1f42b249b783a256995145a59d80ad502fdd3578
  • 623d448a9054af73b323e41e5c84218fefc09d99

URL

  • hxxp[:]//107[.]172[.]221[.]106/ico/VidT6cErs
  • hxxp[:]//107[.]172[.]221[.]106/images/cursor[.]png
  • hxxp[:]//107[.]172[.]221[.]106/images/imgpaper[.]png
  • hxxp[:]//23[.]95[.]227[.]159/ico/VidT6cErs
  • hxxp[:]//23[.]95[.]227[.]159/images/cursor[.]png
  • hxxp[:]//23[.]95[.]227[.]159/images/imgpaper[.]png

Remediation

  • Block all threat indicators at your respective controls. 
  • Check for IOC’s in your existing environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.