March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
September 8, 2022
Rewterz Threat Update – Former Conti Ransomware Gang Members Now Targeting Ukraine
September 8, 2022
Rewterz Threat Alert – Agent Tesla Malware – Active IOCs
September 8, 2022
Rewterz Threat Update – Former Conti Ransomware Gang Members Now Targeting Ukraine
September 8, 2022
Severity
High
Analysis Summary
In the year 2018, the threat actor WIRTE APT Subgroup was discovered for the first time. Spear-phishing emails are used to encourage victims to open a malicious Microsoft Excel/Word document. All of the Excel droppers found were using a technique that leverages formulae in hidden spreadsheets or cells to execute macro 4.0 commands named as Excel 4.0 macros. It is used to drop malware called Ferocious droppers. The payload was downloaded using conventional VBA macros by the Word droppers. The actor customized the counterfeit contents to the targeted victims, including logos and themes that were relevant to the targeted company or current events in their location. However, in some circumstances a bogus ‘Kaspersky Update Agent’ executable worked as a dropper for the VBS implant. The threat actor appears to have targeted a range of sectors, including diplomatic and financial institutions, government, law firms, military groups, and technological enterprises. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries affected. WIRTE is a suspected part of the Gaza Cybergang that is an Arabic politically motivated cyber criminal group. WIRTE APT Subgroup changed their toolkit and how they operate in order to be inconspicuous for longer. They use simple but successful tactics to compromise its victims and outperformed its suspected peers in terms of OpSec by using interpreted language malwares like VBS and PowerShell scripts.
Their latest campaign include maldocs: تعميم مالية الســـاحات الخارجية.ppam (Circular of External Finance.ppam)
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- 4f80572a18c57f6ed76f4edfbeafda28
- 41d9a5902ade7b0e9d7516ce5ba09312
SHA-256
- e21362195463fe7c953afe07bea6a26ffead024c7f7394f51b683cbfe139b917
- 08a8ecc39817a81bb9cde3775ce7289d56e678e94b56b120e06eca171634a97d
SHA-1
- 7cd351e004819021ef300dbb8b247d118575bcf4
- d11192700af04ffe4770f236387ddb0e79ca9734
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.