Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities
June 4, 2020Rewterz Threat Advisory – CVE-2020-3227 – Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
June 4, 2020Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities
June 4, 2020Rewterz Threat Advisory – CVE-2020-3227 – Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
June 4, 2020Severity
High
Analysis Summary
Beginning in January 2020, a campaign was detected that employed advanced obfuscation to evade detection. Using Microsoft Excel hidden sheets, the malicious document is unable to be seen by many detection engines. Speculation is the documents are delivered via social engineering emails. Asking victims to enable editing and content allows the macros contained on the hidden sheets to execute a WinAPI function to download the next stage malware.
The macro worksheet is heavily obfuscated and will start with a number of “RUN” commands that eventually ends with several interesting commands such as “CALL” and “EXEC”.
The macro utilizes the Win32 API function to download the next stage.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA1
- F0fa0bccb67b0c01f238a5eca9c46b9faa0bd6a7
- 1d6f74390e8a00e28975ec5181fe18aab956e5b3
- 4cca909d440e7ce3626922db54872fba43b51855
- 3115d21f0bc774996e7eb925c8badfe8172ae781
- 1669b5553ef576c558bc6a49482a9c32d218641c
- Aa64141ae3d4706eddeccdacbbef413f173f26b6
- 7b6cabda9cfb7b23af2211d2a11ef9a504479a16
- 7ec3f150ca07ff1a67487eb7e74e17eaa15a1144
- F8aef0dac089067ca9024423eca9042f8b1ac845
- 164dff79a7afe7a74d8ff06a564e81d36df29286
- Fef9ab8c1df75fbcdb717d23a7f0f3a3a8512f16
- 24c898ad6e3107474cb3bfbe606aa8f562a6f76a
- B0d168485f482d4685c3d9f034171be457fd7b31
- C33ee864fc398ee9ae1f7994f1aa84101cd6a421
- 3479d044d78dc9a309e1b6ccd533e601235dbde5
- C33ee864fc398ee9ae1f7994f1aa84101cd6a421
- 3479d044d78dc9a309e1b6ccd533e601235dbde5
- 66b9c31b5ab8deccd4c3711515d8021232c1a9af
- 7848de9c2e505e418ae0b0f7d7fc9fae9f371197
- 6b0d60b336972892667e71e415e3c21407307dc1
- Afa0c9be4f05629e773c4304bbabeab2fd5befc8
- B0734e1b869db25b66c5f03ed50133519c222284
- A7b2badc79cc494eba7a0da8e13df49d226c4409
- C8c3be4745ad3b0d88c4a8566ac0c780c0ce17f6
- 2404a7c358629dca3839cef3ea18c5b30c778adc
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.