Rewterz Threat Advisory – CVE-2020-13154 – Zoho ManageEngine Service Plus Vulnerability
May 21, 2020Rewterz Threat Alert – COVID-19 Themed Android Malware Steals SMS and Contacts
May 21, 2020Rewterz Threat Advisory – CVE-2020-13154 – Zoho ManageEngine Service Plus Vulnerability
May 21, 2020Rewterz Threat Alert – COVID-19 Themed Android Malware Steals SMS and Contacts
May 21, 2020Severity
Medium
Analysis Summary
WolfRAT, a modified version of DenDroid. Based on strings in the code and C2 domain names, it appears that Thai users and devices are the targets of this campaign. After being installed on an Android device, WolfRAT provides the operators with various capabilities, such as information stealing and management of the malware. Researchers identified four variants of the RAT with minor changes between each version. Along with the C2 domain changing with each version, certain permissions and functions are either removed or added. Some of the added features since the initial version are the ability to execute shell commands and monitor Line, Facebook Messenger and WhatsApp activities. The most recent version also masquerades as a Google services application. The researchers note that the development cycle observed shows amateur development methodology. Infrastructure overlaps and leaked information led the researchers to attribute this activity to the Wolf Intelligence group, which was believed to be inactive since their activities were publicly reported on in 2018. Based on this attribution, along with the main functionality provided by the malware, it is likely their main goal is related to intelligence-gathering.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 139edb1bc033725539b117f50786f3d3362ed45845c57fe1f82e7ed72b044367
- e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1
- e19823a1ba4a0e40cf459f4a0489fc257720cc0d71ecfb7ad94b3ca86fbd85d1
- e5f346d8f312cc1f93c2c6af611e2f50805c528934786ea173cabc6a39b14cda
- 1849a50a6ac9b3eec51492745eeb14765fe2e78488d476b0336d8e41c2c581d4
- d328fca14c4340fcd4a15e47562a436085e6b1bb5376b5ebd83d3e7218db64e7
- 59b9809dba857c5969f23f460a2bf0a337a71622a79671066675ec0acf89c810
- 120474682ea439eb0b28274c495d9610a73d892a4b8feeff268c670570db97e2
- ed234e61849dcb95223676abe2312e1378d6130c0b00851d82cda545b946ec83
- 27410d4019251a70d38f0635277f931fb73f67ac9f2e1f3b475ce680ebfde12a
- 6e6c210535b414c5aa2dd9e67f5153feeb43a8ac8126d8e249e768f501323a3e
- 4a32ced20df7001da7d29edc31ca76e13eef0c9b355f62c44888853435e9794f
- ac5abaebd9f516b8b389450f7d27649801d746fb14963b848f9d6dad0a505e66
- 3a45d7a16937d4108b5b48f44d72bb319be645cbe15f003dc9e77fd52f45c065
Remediation
- Block all threat indicators at your respective controls.
- Always download recommended/ legitimate applications from playstore.