Rewterz Threat Alert – Vulnerable Corporate VPNs Exploited in the Wild

October 18, 2019

Rewterz Threat Advisory – CVE-2019-13537 – AVEVA Vijeo Citect and Citect SCADA Server Side Crash Vulnerability

October 21, 2019

Rewterz Threat Alert – Ursnif Distributed Through Reply-Chain Attacks to Look Legitimate

October 18, 2019

Severity

High

Analysis Summary

Ursnif is being distributed using Reply-Chain attacks and password protected .zip files across multiple clients. Inside of the .zip files will be documents containing macros which execute and reach out to a Ursnif distribution server to download the payload.

The Reply-Chain attacks are carried out by infecting one victim, accessing their emails, locating an ongoing email chain, and then injecting their malicious file into the email chain. This is very effective, because it appears to come from a trusted source.

Additionally, Ursnif demonstrates some fileless capabilities. It installs itself in a Registry Key which will contain powerscript/mshta commands in order to pull down and re-execute itself. As everything else is done in memory, the file is not resident on the HDD, but instead exists in the Registry.

Impact

Information Theft
Credential Theft

Indicators of Compromise

Domain Name

ztoy[.]top
sizfjalenk51[.]com
v25brigittet[.]com
k23ueugeniay[.]com
qmiller[.]club
bepkristagrant[.]top
vipresleynz[.]com
jt23932[.]xyz
jecdkeay[.]com

Hostname

ww2[.]vipresleynz[.]com
ww3[.]vipresleynz[.]com
ww4[.]vipresleynz[.]com

SH256

a066cf151d234f9adf814390295084a96cb50adfdc4b7fb513ecd9c0cf9e0450
26452b3a29c72e59201508f944393bd80269a845853dbb43b2cf378ecc9562eb
4357f07f5f3c1538212c607f0dab348274270bc9db458e22020b3d36741ad7dc
77bccfc252dcf4ace4243f15e73f396a01a9d6c4b1ea533b5c45a2c399ca0948
d1c95a48e268f0421dca29f80d630d48d581c08c184e31c5604e8acb982f3111
eb28767989e946cd0d7395e2164a5269c2f9a8185936367dd90047cbeb3778e1
22a0ce688275851d810b8ea930bcdfb9e5e2fa78c7814d6f07f6dc104bea055f
23e51ff862fa08c2bbb969eb4fa78ebd28dc07f55b90ab2433fa2078ac3a8ca4
23e70bda780d04bc3f94b7d58918f96e3d89153e6c44b9658589f4bcb0bb4d04
46012e839c34e9d75f0aea81cb1e244167a954470dea09c9299c5af0d0d26f5e
4cabf52beeb0818c1965b33dce4e8703c80c1347e6a252218d1fbba8590bd6f7
6968f026d732878c997d26ae55d3429952f1d6f7cb07b6ff6d1a4a99c4035498
86e1eed479af35827e6287eb319e49d404edbe76631503337381357832c2b8b4
a7683dd18109b63e5b2365da1f64ec4d436a66857f48f4f7fe78fb01b5c901bd
c4234865023f7c6dd8f5a8c3c2d73295c2f9119314f90afeda3b110548db0810
ff1f4197de5db64bc8228d3197c8936813a733488445c73dea441d2abdd64e94

Source IP

194[.]87[.]146[.]138
200[.]63[.]47[.]3
162[.]218[.]210[.]178

URL

http[:]//v25brigittet[.]com/images/FaQ55z3K_2FGIz9mghFXGxY/XDRZdpWTAS/9ahnn5BzLR5PpDpAm/WiKZ6aYR4_2B/S0 UCb4onYzq/DL2_2FAbc9UhQP/k9yOAnyDaKbAUY6Yrt0NU/FlKtTIMZCIxNM7TJ/ibGnkcgQ0GV88Yt/UfAM8WmF/GWpPzth5/D[.]avi
http[:]//bepkristagrant[.]top/ https[:]//bepkristagrant[.]top/
http[:]//jt23932[.]xyz http[:]//jt23932[.]xyz/
http[:]//jt23932[.]xyz/favicon[.]ico http[:]//jt23932[.]xyz/images/
http[:]//jt23932[.]xyz/images/9LYWeKMmRFjkUr/2yEx9G126aQqnujMKQcBo/uQ1ikRI4VnE6cmVy/Anr9O2xeyvVnGvs/J_2F 46IQ79Fnea4bBU/9ectIYcH4/uo1XoZZ_2FmbOeRh8REh/2m3UW3njmnm1zzkFkiS/IX9kEhoZhlfc8nV8Ad/vPJN[.]avi
http[:]//jt23932[.]xyz/images/RxDlsYgPclDm/mqmfEqzqKjU/39Ncxb9eU0fl7o/C9mvjBZY8EQB642Km8m9f/2Tqq5gBcd8pI Oh4b/4Oppw4YTExA09jl/CgKC56zy3uZnhPlyyZ/zYsloLWl_/2Bsf_2Bk0oF6aNCywlqo/T52icgZkU/rmhHg0I2/g[.]avi
http[:]//jt23932[.]xyz/images/SR9KKK9mDa/CYAQnUAntVJznUnXf/_2BQdkCeNpg_/2FpewJelxLV/g2EQ8hDWhaWF55/142G XtoTK1rHMk7boir1U/g_2F4DD4XgzUQ3dt/muqK8hz3FPasq7P/nMoP8m8We53yEvHTFZ/uY9PHuk47/XmNdOf_2ByIAx/go[.] avi
http[:]//jt23932[.]xyz/images/btttd1nc5u7m1gfwri5db7s/ql9d4zkjfc/zhqmgkovvs3xxqiug/0tzfayrhzta6/3dlaujahlvf/7h3j9 xflc5wwvk/8kcy4y5kcfojjg7emmrbc/paxmnq9zlq5vroke/wccywxnn8fihgoi/2zrbq74sa/xi[.]avi
http[:]//jt23932[.]xyz/images/ebwNxFNQkj_2F/dEGrQ8o2/foqH3x_2FKtoXInps4FKDqa/AVLOqWZ41t/kyDBJQ8z31DYibt99/ p8e3aLUvVXBS/tj7eMTvVhzH/BdjW2jkFXH05ES/aUg6n_2BsUr_2F_2Bf4Kt/bab0tY_2FFXAw7Do/LDPJCc65/fiZ8g8Ii/Q[.]avi
http[:]//jt23932[.]xyz/images/hPGryY8pEOstgn/jz3kf_2FjvCIp3FqvnPlh/Ss_2FxBEGREbS9bf/ODC7dYy12zmlbsb/XW8tV0T 7M1VuyTx5Ce/07ZYk52q0/CDkE8F4rqVVw53JiOv43/Sl2ZdbWokdCgTERFrU7/KDcIlBMftn/diUqR0bpy/EB5[.]avi
http[:]//jt23932[.]xyz/images/lzUeA7sRaDrQrPuB_2F/DJCz2MoH33d6BseYeU7a5X/UutSJOG_2Bp2l/1NmApyF4/XLD3PiHkk WnqobusQwka7_2/BY9WJhOHsd/fgqsXortDMWtUI8cD/FirgP_2FpHB2/mBNQ0ByNfwB/svz0ej7L_2BfO9/8OEcl8_2FcHn/v[.] avi
http[:]//jt23932[.]xyz/images/qspMCJDXidt_/2BCIImd5R9M/m9GqPIJz3CkizN/HMFLLfFpR2ta8pSkKO4Tv/f4stJe_2B5wODbg A/j5IyDrqcGwuv0Xk/Mig8no2z2aqitDPuhH/sCsO7wnfp/NeDw2yDY_2F6nAuOHTtG/hMgAzVpxzRnkhe5/Rklix[.]avi http[:]//vipresleynz[.]com/
http[:]//vipresleynz[.]com/images/X7LDnOaa7nZFoOROAJ/VoZbaW4tF/gZO12QOrj_2B0vhCYjTm/KXyTJ0qbSF1AUPJsMHD/ b5T_2BUXIgrmgsrNtsIbxY/dmHcPDAuaOFSb/WTnpLzYo/gM_2Fo9_2BToboDQjt9cscc/jNC_2FiSnm/McvIhXuDY0M
http[:]//vipresleynz[.]com/images/lc5W4GeK5/pMcTTKyonUlk0TlYataQ/9Cpm8IXUiZvRl2NPeOm/pDjk2I7uTIJvOqDSADYo6 a/cw1B2ZsSzPkya/rY2HLtCg/CE6XyqTO8jGNiv_2B4GIkvv/81qVnJvFBv/WnIuEM5L0qYzefsJx
http[:]//vipresleynz[.]com/images/lc5W4GeK5/pMcTTKyonUlk0TlYataQ/9Cpm8IXUiZvRl2NPeOm/pDjk2I7uTIJvOqDSADYo6 a/cw1B2ZsSzPkya/rY2HLtCg/CE6XyqTO8jGNiv_2B4GIkvv/81qVnJvFBv/WnIuEM5L0qYzefsJx/7vvLKISr/51y[.]avi
http[:]//vipresleynz[.]com/images/rE6bUsfRTah_2Bvt/t3ehZrbOuNAdI6_/2FpNRfRL7PGPwJs5Jp/5nMIqH1ja/5sgDepHdr2Oa tdrcS2LX/Ga_2F0e_2Fux5Vhw64n/jAy8OdZdUfisGzsuvTP7sB/HrxCSUcNWapiV/xyEilPQv/8YpUli1i_2F http[:]//ww2[.]vipresleynz[.]com/?sub1=8a137de0-e84e-11e9-b443-6fc1e91426c4
http[:]//ww3[.]vipresleynz[.]com/
http[:]//ww4[.]vipresleynz[.]com/ https[:]//vipresleynz[.]com/
http[:]//jecdkeay[.]com/ https[:]//jecdkeay[.]com/
http[:]//sizfjalenk51[.]com http[:]//sizfjalenk51[.]com/
http[:]//sizfjalenk51[.]com/favicon[.]ico
http[:]//sizfjalenk51[.]com/images
http[:]//sizfjalenk51[.]com/images/472HFxZ5l4tHvgRl3V/A8Zwc5iiD/z7Hpom6i0eSZfehkwwO9/idWkaXCYz4tD3jwgjQn/_2 FlBWWURQCi0OB8d8T1GQ/aKp874_2F_2FK/Eu1f0RrN/LUEZKLleIAaDsFHtf2_2Bg6
http[:]//sizfjalenk51[.]com/images/472HFxZ5l4tHvgRl3V/A8Zwc5iiD/z7Hpom6i0eSZfehkwwO9/idWkaXCYz4tD3jwgjQn/_2 FlBWWURQCi0OB8d8T1GQ/aKp874_2F_2FK/Eu1f0RrN/LUEZKLleIAaDsFHtf2_2Bg6/wsoUB5oioM/zD5hJDe3X/0yoD9po[.]av i
http[:]//sizfjalenk51[.]com/images/NJmri2_2BHm80N/jV9E13yKOb3kDRyPsOhqy/4L214bCB4CIiCNwx/1cyqdTDB0ZcmPy4 /oNzpFMQCpuOVutlUy0/EJfchMJQc/VYhq3hje6X8tfhHUhqZH/wDa51WD9QurdBuQwCF9/BAhSAyvC3L/CTqbg91ZP/9[.]avi
http[:]//sizfjalenk51[.]com/images/P5V7KNJc/qteexShBbsKgBQgofOXRwwj/07pewQrrjr/FTYuugJWn44JKiPSi/z2S4kpdTZAk V/TOJlVViQlBm/MDtevqpYSYr_2B/hCIFhnQ9iRbhWRNl9lSeE/d_2FnWgqriSkqVmW/eo4D65y6_2BM2ZT/MVT2BNHJ/R[.]avi
http[:]//sizfjalenk51[.]com/images/Z7BhGdVjU8AWlckbQ/PZZLxG5QiZow/bQk7UvwwbS1/NSAJoOjOvdHq5e/ddEPvbqluK1 XsBKn5tp2N/YLIRKRZYv1_2BG2R/BMiL3cFVu9nHGJO/zW9fIGYwRxqSRhxRBU/QnwxdJUwt/YnQwFhSnW68K/bQ6fzOq[.]avi
http[:]//sizfjalenk51[.]com/images/_2BQlDy3SgkoRBGGJ_2B/JjRFjohMTQ3h7vKDHFC/_2Bm4xcN8TMUBoMkRlJXyp/nTUI7P WhEmox_/2BoQzywA/SuNYm0z_2Boa7VWM4xZhO3m/yNbVTY_2BW/1BR0uhTn3vP2G8C5Y/6rtEjDWbIlQ7/lKkZHhSvz/kuX Jqk6L/q[.]avi
http[:]//sizfjalenk51[.]com/images/he2XKahi7XFvWbEFX_2F1M/KpCebmTr_2FJ4/orwwY_2F/OF2_2FoyY15SNTGJz_2Fn8O/0 lLebBIohJ/U6X5YeviGrx64y6u2/GdgzEivYR6p_/2BiGhnWXrk7/uG9Oyl22apWEAc/8RDS5ZLbXX3I53c5UHMNB/Op1FE_2F8 m/bw8[.]avi
http[:]//sizfjalenk51[.]com/images/j02HquE_2/F7Z2C2XRbtJDZ_2FNLI7/oLjEEJPNX1Mjjgsv8tu/88Hom2vL0sINbFa50GRWF X/k_2FTCfHfqvV2/gU5Y9o3F/lqD8NZpmLI1HfkNb_2BNnPW/r3z5xwHBIY/M60wig2JpZcn58sw0/2iZy_2F9umpI/wtrr69o7Xh G/Dhwrsxcu/ytgpd7Mu/9[.]avi
http[:]//sizfjalenk51[.]com/images/jZ8vuoYPNX3MN33d72lzE/xiq9gcYVnssjHnJ3/EsEm43RqnxUB7L4/gXNmpAlnd5_2B8El 2S/7nVphu2an/EKoCTOkUK24bLkk2GyLO/LMqImM_2BNx0i22IKSr/vNMNRW3m_2Bk8E4Ya4yhUc/GSOHXkiSOlz0n/mvU[.] avi
http[:]//sizfjalenk51[.]com/images/lo7ZqFtAZKahzi4gSL6/W7DIyomPQ48o1ou5in0zOH/HqPl6_2B1jveG/b556JmSF/4bWa WkGw6bC102wt3s0nt5a/eglp4vYKKX/V3apC1DVEO1B3bc1u/kDwM7qOAp_2F/vIhU_2FsY_2/FBUcR_2Ff8Urg_/2FWnC1IlU_ 2Fsg/E[.]avi
http[:]//sizfjalenk51[.]com/images/qIDJWm6lgwj8JFWS/8dWI2kqr7kKIMsR/mawnwkdCvjhkfzm55n/8Y2Ix5H_2/Ba0_2FEGE TflUpoCus4U/fLkg_2BfQn39um2goch/2_2FldabIh6zVKiJSF4Ifm/RQvG93l2arQjJ/qsGgmgnx/x_2B3xDrCa3ZVrIkYG4Qgs2/oj 0XTNsh2Mcf/N51uSJ[.]avi

Remediation

Block the threat indicators at their respective controls.
Do not download email attachments even if they’re received from legitimate sources, without first confirming from the sender.
Do not enable macros for downloaded files unless they are extremely necessary.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – Mekotio Banking Trojan aka Melcoz – Active IOCs

Rewterz Threat Update – Cyber Threat Intelligence Advisory – 23rd March Pakistan Day

Rewterz Threat Advisory -Multiple Jenkins Products Vulnerabilities

Threat Insights

About Us

Our Leadership

CSR

Connect with Us