Rewterz Threat Alert – WebMonitor RAT Bundled with Zoom Installer
May 4, 2020Rewterz Threat Alert – Fake Microsoft Team Alerts/Office 365 Phishing Campaign
May 5, 2020Rewterz Threat Alert – WebMonitor RAT Bundled with Zoom Installer
May 4, 2020Rewterz Threat Alert – Fake Microsoft Team Alerts/Office 365 Phishing Campaign
May 5, 2020Severity
Medium
Analysis Summary
An application named “Koronavirus haqida”, threat actors have begun looking for ways to take over mobile devices. The end result is being locked out of the affected device. As with other malicious applications, this is downloaded from outside official sources. Once installed, the application locks the screen and displays a ransom note. The ransom note includes a time limit by which to pay the ransom. The time limit is a false flag as the code contains nothing that enforces that limit. The device is genuinely locked and the malware survives a reboot. In newer versions of the Android OS (8.0 and above), the keys on the device are not locked, however, the user is still unable to manually uninstall the software. Should the victim attempt to circumvent the protection, the device will display a message stating that functionality will be restored upon payment. The malware can be removed via Android Debug Bridge or booting into safe mode. Should the victim pay the ransom, they will be able to uninstall the software through regular uninstall means. The malware has been reported in Ukraine, Russia, and certain countries in Central Asia such as Kazakhstan and others. |
Impact
Locks out users from their device |
Indicators of Compromise
MD5
- 6e3d57271a1c0e8e79c88d15f3897bab
- 698aa564ba543d8b0bb247471554672b
- 1dfc2e6f96727ab1bb37bc5ac303dc62
- 8fc2e3254eabdfceee843c6bc3367f6c
- c89cd578e2a647671ce7254d3fab41dc
SHA-256
- 6af2b15d3b7d3fe5c1f14282480ec0624664700d66346a3e99ac69f061b30ed7
- 3cf9bcbd77f332f52f541737ec847dad023cd13bea0f2c8fd5fccaa75ef80d1c
- 0ee5a69ef20c65df3197af958d4522f6b596ec823ac73823df72db90f12ae05b
- 1e3e7a7c394d9f84d6a8e6bae55e46b794852ef9bce226c89f619632111e5d6d
- aaea4d646d4ee28ced9ca87e642b5e318597be7c8756ce9c14efdb9bcf1910a2
SHA1
- ce19e85e158c70231460fac34528885a958c5260
- cb1eac882cd9b34f197fbee2faa8948f67891fd6
- 4101e06fa53fa532b171e3a769618095f576fa58
- 256cf66e7c500ac190efd00d8832efc218b53c6e
- 9819000c23e117e3308e67cade33bc019210d938
Remediation
Block all threat indicators at your respective controls. Always download legitimate applications from the playstore. |