Rewterz Threat Alert – Cryptomining DDoS Malware Lucifer targets Windows and Linux
August 20, 2020Rewterz Threat Advisory – CVE-2020-3446 – Cisco vWAAS for Cisco ENCS 5400-W Series and CSP 5000-W Series Default Credentials Vulnerability
August 20, 2020Rewterz Threat Alert – Cryptomining DDoS Malware Lucifer targets Windows and Linux
August 20, 2020Rewterz Threat Advisory – CVE-2020-3446 – Cisco vWAAS for Cisco ENCS 5400-W Series and CSP 5000-W Series Default Credentials Vulnerability
August 20, 2020Severity
High
Analysis Summary
Recently, ransomware attacks have been observed that reportedly already exploited more than 31 companies, with 8 of the victims being Fortune 500 companies. These highly targeted campaigns distribute the WastedLocker ransomware. The WastedLocker ransomware is a relatively new malicious payload used by the high-profile EvilCorp MTA, which previously used the Dridex trojan to deploy BitPaymer ransomware in attacks targeting government organizations and enterprises in the United States and Europe. This MTA currently focuses on targeted “big game hunting” (BGH) ransomware attacks with multiple industry victims in recent months, with Garmin as one of the latest high-profile victims attacked (officially confirmed by Garmin on July 27). The most recent ransom amount demanded was US$10M and appears to be based on the victim’s financial data. Based on the available details, the ransom was likely paid. To date, this MTA appears to have been using a mono-extortion scheme (data encryption only, with no or minimal data leakage) vs. other MTAs who use the threat of leaking a victim’s data as part of a double-extortion scheme (such as, e.g. Netwalker, Maze, and others).
Impact
- Files Encryption
- Loss of data
- Denial of Service
- Information Disclosure
- Credential theft
- Security bypass
Indicators of Compromise
Domain Name
- ludwoodgroup[.]xyz
- net-giftshop[.]info
- transvil2[.]xyz
- penaz[.]info
- typiconsult[.]com
- consultane[.]com
- msoftwares[.]info
- feedbackgive[.]com
- websitesbuilder[.]info
- rostraffic[.]com
- advokat-hodonin[.]info
- guiapocos[.]xyz
- devicelease[.]xyz
- paiolets[.]com
- woofwoofacademy[.]xyz
- lendojekam[.]xyz
- lgrarcosbann[.]club
- flablenitev[.]site
- traffichi[.]com
- utenti[.]info
- cofeedback[.]com
- respondcritique[.]xyz
- mwebsoft[.]com
- utenti[.]live
- lpequdeliren[.]fun
- triomigratio[.]xyz
- uplandcaraudio[.]xyz
- dns[.]proactiveads[.]be
MD5
- 0ed2ca539a01cdb86c88a9a1604b2005
- 572fea5f025df78f2d316216fbeee52e
- d124ae14809abde3528a479fe01a12bd
- 2000de399f4c0ad50a26780700ed6cac
- 2b3efa7882c674f4ae57dea991ff5014
- 6d000056522c9f92b027e0c443667485
- 31a57376158d926ae4cfa0574143d7ee
- 2cc4534b0dd0e1c8d5b89644274a10c1
- ef013138a06171ddaed1334601640db4
SHA-256
- 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a
- 3dfb4e7ca12b7176a0cf12edce288b26a970339e6529a0b2dad7114bba0e16c3
- c786e4de11e64be8d4118cf8ba6b210e3396e3bb579f3afd4bf528c35bab4a6b
- 83710bbb9d8d1cf68b425f52f2fb29d5ebbbd05952b60fb3f09e609dfcf1976c
- 7a45a4ae68992e5be784b4a6da7acd98dc28281fe238f22c1f7c1d85a90d144a
- 5cd04805f9753ca08b82e88c27bf5426d1d356bb26b281885573051048911367
- f093b0006ef5ac52aa1d51fee705aa3b7b10a6af2acb4019b7bc16da4cabb5a1
- bcdac1a2b67e2b47f8129814dca3bcf7d55404757eb09f1c3103f57da3153ec8
SHA1
- db908077689613c483bcdf037f211d0e3369ff12
- 70c0d6b0a8485df01ed893a7919009f099591083
- 82c6615db16db8fa5c25ed3ba9ee2ba4758872b4
- 92d32c824891ea2055fbdd6b66597d7f5c003e88
- 735ee2c15c0b7172f65d39f0fd33b9186ee69653
- 91b2bf44b1f9282c09f07f16631deaa3ad9d956d
- 4fed7eae00bfa21938e49f33b7c6794fd7d0750c
- 5e5e62ff09ee59fd7d17f79ef2c726ed1c1fc26f
URL
- http[:]//paiolets[.]com/install[.]exe
- https[:]//devicelease[.]xyz
- https[:]//utenti[.]info/1[.]exe
- https[:]//utenti[.]live/1[.]exe
- https[:]//szn[.]services/1[.]exe
- http[:]//lendojekam[.]xyz/index[.]php
- https[:]//uplandcaraudio[.]xyz
- https[:]//ludwoodgroup[.]xyz
- https[:]//respondcritique[.]xyz
- https[:]//woofwoofacademy[.]xyz
- http[:]//transvil2[.]xyz/index[.]php
- https[:]//guiapocos[.]xyz
- http[:]//flablenitev[.]site/index[.]php
- http[:]//lpequdeliren[.]fun/index[.]php
- https[:]//triomigratio[.]xyz
Remediation
- Block the threat indicators at their respective controls.
- Keeps all systems and software patched against all known security vulnerabilities.
- Do not download files from untrusted emails or from random sources on the internet.