• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – WebMonitor RAT Bundled with Zoom Installer
May 4, 2020
Rewterz Threat Alert – Fake Microsoft Team Alerts/Office 365 Phishing Campaign
May 5, 2020

Rewterz Threat Alert – Android SLocker Variant Uses Covid 19 to Take Android Hostage

May 5, 2020

Severity

Medium

Analysis Summary

An application named “Koronavirus haqida”, threat actors have begun looking for ways to take over mobile devices. The end result is being locked out of the affected device. As with other malicious applications, this is downloaded from outside official sources. Once installed, the application locks the screen and displays a ransom note. The ransom note includes a time limit by which to pay the ransom. The time limit is a false flag as the code contains nothing that enforces that limit. The device is genuinely locked and the malware survives a reboot. In newer versions of the Android OS (8.0 and above), the keys on the device are not locked, however, the user is still unable to manually uninstall the software. Should the victim attempt to circumvent the protection, the device will display a message stating that functionality will be restored upon payment. The malware can be removed via Android Debug Bridge or booting into safe mode. Should the victim pay the ransom, they will be able to uninstall the software through regular uninstall means. The malware has been reported in Ukraine, Russia, and certain countries in Central Asia such as Kazakhstan and others. 

Impact

Locks out users from their device

Indicators of Compromise

MD5

  • 6e3d57271a1c0e8e79c88d15f3897bab
  • 698aa564ba543d8b0bb247471554672b
  • 1dfc2e6f96727ab1bb37bc5ac303dc62
  • 8fc2e3254eabdfceee843c6bc3367f6c
  • c89cd578e2a647671ce7254d3fab41dc

SHA-256

  • 6af2b15d3b7d3fe5c1f14282480ec0624664700d66346a3e99ac69f061b30ed7
  • 3cf9bcbd77f332f52f541737ec847dad023cd13bea0f2c8fd5fccaa75ef80d1c
  • 0ee5a69ef20c65df3197af958d4522f6b596ec823ac73823df72db90f12ae05b
  • 1e3e7a7c394d9f84d6a8e6bae55e46b794852ef9bce226c89f619632111e5d6d
  • aaea4d646d4ee28ced9ca87e642b5e318597be7c8756ce9c14efdb9bcf1910a2

SHA1

  • ce19e85e158c70231460fac34528885a958c5260
  • cb1eac882cd9b34f197fbee2faa8948f67891fd6
  • 4101e06fa53fa532b171e3a769618095f576fa58
  • 256cf66e7c500ac190efd00d8832efc218b53c6e
  • 9819000c23e117e3308e67cade33bc019210d938

Remediation

Block all threat indicators at your respective controls.
Always download legitimate applications from the playstore.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.