Rewterz Threat Alert – A Point-Of-Sale Malware Ecosystem that Exfiltrates Credit Card Data
May 8, 2019Rewterz Threat Alert – Dharma Ransomware Uses Legit Antivirus Tool to Distract Victims During Encryption
May 9, 2019Rewterz Threat Alert – A Point-Of-Sale Malware Ecosystem that Exfiltrates Credit Card Data
May 8, 2019Rewterz Threat Alert – Dharma Ransomware Uses Legit Antivirus Tool to Distract Victims During Encryption
May 9, 2019Severity
High
Analysis Summary
A Turla backdoor targeted at Microsoft Exchange mail servers and controllable remotely via email attachments using steganography was discovered while used in attacks against multiple targets from around the world.
The specific targeting of Microsoft Exchange servers by malware is in itself unique, but even more interesting is the use of Transport Agents as a persistence mechanism. Transport Agents are used in a Microsoft Exchange mail flow to allow custom software to be involved in the processing of email messages. By creating a custom Transport Agent, the Turla threat group was able to apply a custom rule-set to emails passing through compromised Exchange servers allowing them to read, modify, compose, send, or delete emails. Using the rule file for the Transport Agent, the attackers implemented handlers that included the ability to execute commands. If an attacker sends an email to the victim organization with either a PDF or JPG attachment, a rule is applied that decodes commands that were hidden in the documents via steganography methods. The commands enable full control over the Exchange server via functions such as executing processes, exfiltrating files, and writing executables.
Impact
- Remote code execution
- Exfiltrate sensitive documents
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 3C851E239FBF67A03E0DAE8F63EEE702B330DB6C
- 76EE1802A6C920CBEB3A1053A4EC03C71B7E46F8
- FF28B53B55BC77A5B4626F9DB856E67AC598C787
- C1FF6804FDB8656AB08928D187837D28060A552F
- F9D52BB5A30B42FC2D1763BE586CEE8A57424732
- 0A9F10925AF42DF94925D07112F303D57392C908
- A4D1A34FE5EFFD90CCB6897679586DDC07FBC5CD
- 0a9f10925af42df94925d07112f303d57392c908
- 3c851e239fbf67a03e0dae8f63eee702b330db6c
- 76ee1802a6c920cbeb3a1053a4ec03c71b7e46f8
- a4d1a34fe5effd90ccb6897679586ddc07fbc5cd
- c1ff6804fdb8656ab08928d187837d28060a552f
- f9d52bb5a30b42fc2d1763be586cee8a57424732
- ff28b53b55bc77a5b4626f9db856e67ac598c787
Affected Vendors
Microsoft
Affected Products
Remediation
Block all threat indicators at your respective controls.