Rewterz Threat Advisory – CVE-2019-6974 – Linux Kernel KVM “kvm_ioctl_create_device()” Use-AfterFree Vulnerability
February 27, 2019Rewterz Threat Advisory – CVE-2019-1674 – New Elevation of Privilege Vulnerability Found in Cisco WebEx Meetings
February 28, 2019Rewterz Threat Advisory – CVE-2019-6974 – Linux Kernel KVM “kvm_ioctl_create_device()” Use-AfterFree Vulnerability
February 27, 2019Rewterz Threat Advisory – CVE-2019-1674 – New Elevation of Privilege Vulnerability Found in Cisco WebEx Meetings
February 28, 2019Severity
Medium
Analysis Summary
Malspam WARZONE RAT (aka Ave_Maria Stealer aka Ave Maria RAT) malware has been spread through different phishing campaigns. Threat indicators are provided.
Indicators of Compromise
IP(s) / Hostname(s)
- 5.206.225[.]104
- 146.255.88[.]214
URLs
- warzonedns[.]com
- hxxp://5.206.225[.]104/dll/vcruntime140.dll
- hxxp://5.206.225[.]104/dll/softokn3.dll
- hxxp://5.206.225[.]104/dll/msvcp140.dll
- hxxp://5.206.225[.]104/dll/mozglue.dll
- hxxp://5.206.225[.]104/dll/freebl3.dll hxxp://5.206.225[.]104/dll/nss3.dll
- hxxp://5.206.225[.]104/dll/upnp.exe
Email Address
- manarnasr[@]madeinaudio[.]com
- tou013[@]efx.net[.]nz
Email Subject
- Important Process form Regarding fraud Adjustment Refund
- TD Bank Secure Mail
- Transaction receipt for eInvoice 4596
- ACH Credit Transaction
Malware Hash (MD5/SHA1/SH256)
- 4e56a44a29a1f6038f2f0c1909aa02846e61a3b9
- 8662cce96988085e2e35f80c0d9a3e7bb9022b22
- 708c6af4b82bd6913709fe6ed17c766e2585b3b4
- 1f8080cd046576290f28e1e22c2daf7843d72642
- b3892eef846c044a2b0785d54a432b3e93a968c8
- ffcdc87572815d4801094dd7fa7df5f5868d0b3e
- 153b601dd6780f1a532f68444f92aeed2c7971b58547aaf2b9d5165c0c14623d
- 27a855a5b954c4a2415b5f49cd798872a5bc6a08878ba5eea010b0a27718a987
- 49027f9a9bf07e48b40512aab3c06d5dcdf7a50bfd7019bf32182a1f2ffacf16
- cfe14dc4f408f1d1cbabf5b05cde303a8c8ff6a600d98b3ef4b12ab1d2f73ba0
- 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
- 0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9
- a2681b18b9e0d0a449cc9fd018d503cc
- 2cb663a749b8f07054e8ffc29564f78e
- 469209838a2ae561997998debabac084
- b74a28a008ea01c409392dbeb15a078a
- 461ade40b800ae80a40985594e1ac236
- ee03ca33712e4ee518cb7b046d0f64ec
Remediation
- Block the threat indicators at their respective controls.
- Always be suspicious of unsolicited email.
- Never click/ download any attachments sent from unrecognized senders.