Novel Android Trojan ‘BlankBot’ Aims to Steal Financial Data of Turkish Users – Active IOCs
August 6, 2024ICS: Multiple Siemens Products Vulnerabilities
August 6, 2024Novel Android Trojan ‘BlankBot’ Aims to Steal Financial Data of Turkish Users – Active IOCs
August 6, 2024ICS: Multiple Siemens Products Vulnerabilities
August 6, 2024Severity
High
Analysis Summary
A threat activity cluster known as Bloody Wolf is aimed at organizations in Kazakhstan and distributes a commodity malware known as STRRAT (also known as Strigoi Master).
Cybersecurity researchers said, “The program, selling for as little as $80 on underground resources, allows the adversaries to take control of corporate computers and hijack restricted data.”
Phishing emails, which pose as the Ministry of Finance of the Republic of Kazakhstan and other organizations, are used by the cyber attackers as their initial access to deceive targets into opening PDF attachments. The attachment poses as a non-compliance notice and includes links to a malicious Java archive (JAR) file and instructions on how to install the Java interpreter that the malware needs to run.
The second link, which is meant to give the attack credibility, leads to a page linked to the national website of the nation, advising users to install Java for the portal to function. The STRRAT malware maintains persistence on the Windows host by changing the Registry, and it launches the JAR file every 30 minutes. The malware is hosted on a website that imitates the Kazakhstani government's website.
Moreover, a duplicate of the JAR file is moved to the Windows startup folder to guarantee that it starts up automatically following a system reboot. It then connects to a Pastebin server to steal private data from the compromised system. This data includes account information from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird, as well as information about the operating system and antivirus software that is installed.
It can also log keystrokes, run commands using PowerShell or cmd.exe, restart or shut down the machine, install a proxy, and uninstall itself in response to further directives it receives from the server. Attackers can bypass security by using less popular file types like JAR. Network security solutions can be circumvented by communicating with the compromised machine via reputable online sites like Pastebin.
Impact
- Sensitive Information Theft
- Keylogging
- Unauthorized Access
- Command Execution
Indicators of Compromise
IP
- 91.92.240.188
- 185.196.10.116
MD5
- d0aed4975f9801c4b43148877db005f2
- 7ac6ab0b4cd03b1cb7da928b324cb933
- fdb7946e658bad90ce4a9f794f3fbe51
- 28df81d2c476c271b0c2cc083192c282
- 4a3d3f1ffcd92d8cbcc1a608901d3d2e
- 09409cf2e9c5c0796b5b95586f965719
- 14c6e272eb3038aa41a57f5c81fd9fb3
SHA-256
- e35370cb7c8691b5fdd9f57f3f462807b40b067e305ce30eabc16e0642eca06b
- 00172976ee3057dd6555734af28759add7daea55047eb6f627e5491701c3ec83
- cb55cf3e486f3cbe3756b9b3abf1673099384a64127c99d9065aa26433281167
- a6fb286732466178768b494103e59a9e143d77d49445a876ebd3a40904e2f0b0
- 25c622e702b68fd561db1aec392ac01742e757724dd5276b348c11b6c5e23e59
- 14ec3d03602467f8ad2e26eef7ce950f67826d23fedb16f30d5cf9c99dfeb058
- ee113a592431014f44547b144934a470a1f7ab4abec70ba1052a4feb3d15d5c6
SHA1
- db0a00cc513cf289d7cd7d63904b2298c0470421
- 71b0d8b34ceed49dc0a4f3a42dba42391475f302
- b42c9327d3b39e356009080a99f9ae0dcfc6fb4b
- e08f962a4b87fbdc65e973d92b38985d121af6f4
- c0aece098056a801708935ecd8c9358adaa89578
- 53a94d95c0057406603f8a82a9368ffd99f7a10e
- 31ed947d4295f8ffdad8a1af78d08fb431919fc4
URL
- https://pastebin.com/raw/dFKy3ZDm
- https://pastebin.com/raw/dLzt4tRB
- https://pastebin.com/raw/YZLySxsv
- https://pastebin.com/raw/8umPhg86
- https://pastebin.com/raw/67b8GSUQ
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.